Protostar – format4

Information %p format4 looks at one method of redirecting execution in a process. Hints • objdump -TR is your friend This level is at /opt/protostar/bin/format4 Source code Solution In this level, I don’t have to overwrite the content of a variable but to redirect the program to the function hello(). The format string vulnerability is ...

Protostar – format3

Information This level advances from format2 and shows how to write more than 1 or 2 bytes of memory to the process. This also teaches you to carefully control what data is being written to the process memory. This level is at /opt/protostar/bin/format3 Source code Solution This is nearly the same code as in the ...

Protostar – format2

Information This level moves on from format1 and shows how specific values can be written in memory. This level is at /opt/protostar/bin/format2 Source code Solution This time the variable ‘buffer’ can’t be overloaded due to the using of : fgets(buffer, sizeof(buffer), stdin); But the program is vulnerable to format string because of this : printf(buffer); ...

Protostar – format1

Information This level shows how format strings can be used to modify arbitrary memory locations. Hints • objdump -t is your friend, and your input string lies far up the stack 🙂 This level is at /opt/protostar/bin/format1 Source code Solution This level introduces format string vulnerability and exploitation. The vulnerability lands here : printf(string); The ...

Protostar – format0

Information This level introduces format strings, and how attacker supplied format strings can modify the execution flow of programs. Hints • This level should be done in less than 10 bytes of input. • “Exploiting format string vulnerabilities” This level is at /opt/protostar/bin/format0 Source code Solution This level is not really about a format string ...

Protostar – stack7

Information Stack6 introduces return to .text to gain code execution. The metasploit tool “msfelfscan” can make searching for suitable instructions very easy, otherwise looking through objdump output will suffice. This level is at /opt/protostar/bin/stack7 Source code Solution Well, I don’t understand the point of this level. It is exactly the same as the previous one. ...

Protostar – stack6

Information Stack6 looks at what happens when you have restrictions on the return address. This level can be done in a couple of ways, such as finding the duplicate of the payload (objdump -s) will help with this), or ret2libc, or even return orientated programming. It is strongly suggested you experiment with multiple ways of ...

Protostar – stack5

Information Stack5 is a standard buffer overflow, this time introducing shellcode. This level is at /opt/protostar/bin/stack5 Hints • At this point in time, it might be easier to use someone elses shellcode • If debugging the shellcode, use xcc (int3) to stop the program executing and return to the debugger • remove the int3s once ...

Protostar – stack4

Information Stack4 takes a look at overwriting saved EIP and standard buffer overflows. This level is at /opt/protostar/bin/stack4 Hints • A variety of introductory papers into buffer overflows may help. • gdb lets you do “run < input” • EIP is not directly after the end of buffer, compiler padding can also increase the size. ...

Protostar – stack3

Information Stack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP) Hints • both gdb and objdump is your friend you determining where the win() function lies in memory. This level is at /opt/protostar/bin/stack3 Source code Solution After ...