Fusion Exploit Challenges Level 01

Some GDB Housekeeping When I first started this challenge, I was quite thrown off. I started debugging with GDB and my level00 exploit worked perfectly as is. In fact, after closer inspection I realized that none of the addresses from level00 were different in level01. I figured this wasn’t a coincidence. After running my exploit […]

Fusion Exploit Challenges Level00 Solution

Introduction Research I began by looking for the port level00 listened on. However, it was not in the source code. I found it by running a netstat -tulpn: From the output you can see level00 listens on port 20000. We could have also found this by setting a breakpoint on SERVE_FOREVER and examining the port […]

Protostar Exploit Challenges Format0 Solution

Introduction Format0 is the introduction to the string exploitation levels. There isn’t much to it except a bit of minutia in the printf function. Exploitation We must complete this level in under 10 bytes of input, which means we can’t do our typical print 1 billion As deal. What we instead do is use the […]

Protostar Exploit Challenges Stack 7 Solution

Introduction This challenge is nearly identical to the last except that you must find a random ret to use and then jump to system. Exploitation Using the same tactics as before I determined the address of my environment variable was at 0xbffffe63. Now we need is a gadget containing a RET. There are fancier, more sophisticated ways […]

Protostar Exploit Challenges Stack 6 Solution

Introduction This challenge introduces the return to libc. As far as the bug itself, it remains the same as previous stack challenges. The only difference is that the return address can’t be in the range of 0xbf000000 – IE the stack. Ret2LibC Fortunately, this restriction isn’t hard to bypass. You can return into any function […]

Protostar Exploit Challenges Stack5 Solution

Introduction There really isn’t anything to this one. It is exactly the same as the last challenge except you add your own shellcode. Generating Shellcode I just used Kali Linux to generate my shellcode. In this case it is a bind shell which listens on port 4444. To get to this just log in to […]

Protostar Exploit Challenges Stack4 Solution

Introduction This challenge is one step up from the others in that now we must use GDB. Alternatively, you could use some guess and check, but that would just make your life harder. Exploitation In this challenge you have to understand a bit about C. The function gets does no bounds checking of any sort […]

Protostar Exploitation Challenges Stack3 Solution

Introduction This level is about the same as the others. The only difference is that instead of overwriting a regular variable you overwrite a function pointer. When the pointer is called, the program must instead call your overwritten function pointer. Exploitation The hint tells you to use gdb or objdump. Using objdump you want to take […]

Protostar Exploit Exercises Stack 2 Solution

Introduction This exercise introduces environment variables and their utility for placing arbitrary values into memory. These values may later be retrieved and used for exploitation. Exploitation You must set the GREENIE environment variable> the code will then copy the contents of that environment variable and place it into the buffer buffer. Because the variable modified […]