Fusion Exploit Challenges Level00 Solution

Introduction Research I began by looking for the port level00 listened on. However, it was not in the source code. I found it by running a netstat -tulpn: From the output you can see level00 listens on port 20000. We could have also found this by setting a breakpoint on SERVE_FOREVER and examining the port […]

Protostar Exploit Challenges Net0 Solution

Introduction This is probably the simplest challenge so far. The program sends you a number and you have to convert that number to little endian. There’s really not much more to it then that. Checking Things Out I started by just using netcat to see what the output looked like: user@protostar:~$ nc 127.0.0.1 2999 Please […]

Protostar Exploit Challenges Heap2 Solution

Introduction This scenario requires knowledge of heap allocations and a bit about the nature of the C language. Take your time to familiarize yourself with the code as it can be rather confusing if you are a newcomer. Specifically, take time to think about what is happening in memory during the allocations for auth->name, auth->auth, […]

Protostar Exploit Challenges Heap1 Solution

Introduction This challenge introduces the concept of control flow hijacking. It’s another heap based buffer overflow. The overflow isn’t hard to find, just look at the only two strcpy calls and you’ll notice neither of them do any bounds checking. Finding the Exploit I wasn’t immediately sure what to do with this one so I […]

Protostar Exploit Challenges Heap0 Solution

Introduction This challenge serves as the introduction into heap exploitation and as such isn’t too bad. In fact, we’ll exploit this in a manner very similar to classic stack based overflow. Set Up For starters, I just examined the output of the program. Once I observed the information they gave me, the location of data […]

Protostar Exploit Challenges Format 3 Solution

Overview There’s really not much to this one. It’s pretty much the same as format2 with the only difference being we’ll need to write multiple bytes. Finding Our String I started in the same manner we have been for the last several challenges by printing off values from the stack. After printing those values, I […]

Protostar Exploit Challenges Format 2 Solution

Direct Parameter Access In the previous tutorial, I demonstrated how to use %x format specifiers to print values of the top of the stack and ultimately write to an arbitrary location in memory. In this case, it is not possible to input an arbitrarily long string as the code now limits the string to size […]