Binary Exploitation

Prev: 0x00 - OldSoft's Keygenme #2 "simpledatas_keygenme_1" by simpledata can be found here . Like the prior level, this is classified on the site as a "Very Easy" C/C++ program for the Windows platform. Note that the .zip password this time is "crackmes.de". When we run the program we find that it is (surprise) very straightforward: a name and serial number are requested, and when we select "Check" we receive feedback on our input. Let's load it into IDA and look for feedback prompts in the Strings window (Shift+F12) so that we can find the proper function. "Great job cracker!" appears to be the success message, so let's double-click it to jump to its address in the IDA view. If we then right-click to view its cross-references, we find just one. Hit "OK" to jump to it. We land in a subroutine which takes two character pointers as arguments and ultimately lands in one of two boxes/sets of instructions - one...

Next: 0x01 - simpledatas_keygenme_1 "Keygenme #2" by OldSoft and modernized by wolverine2k can be found here . This is classified on the site as a "Very Easy" C/C++ program for the Windows platform. If we run the program, we can see that the functionality is very simple: first, the program asks for our name. Then, it asks for the serial number. Finally, it provides feedback based on these values we provide, and calls system("pause") before exiting. If we open this in IDA, IDA starts us at "mainCRTStartup" which initializes the C runtime library - something not necessarily useful for us here. If we click into "__main" via the Functions window, we can't quite find any valuable code here either. One trick we can employ is to search for the strings used within the program. Pressing Ctrl+12 will bring up the Strings window. Locate where it says "Enter your name:" and double-click it to load its line in the read-only ...

Prev: 0x00 - Level00 This is the exact same level as before, but this time, Address Space Layout Randomization (ASLR) is enabled. ASLR is an exploit prevention technique in which the virtual memory locations of various regions of a process are randomized. In this case, per this level’s instructions, the randomized regions are the stack, heap, and mmap. With ASLR enabled, we can no longer reliably jump into our shellcode on the stack as the stack location will vary from process to process. This is a significant roadblock, but there are still several techniques to bypass this protection: Leak a memory address . If we can leak a stack address while the program is running, we can use it as an anchor from which we can calculate offsets to other areas of the stack. Remember – the address of the stack itself is randomized, but not its overall layout. Thus, if we use gdb to understand the stack layout, then one leaked stack address allows us to understand the entire stack at runtime...

Next: 0x01 - Level01 pt 1 This level is explained as a warm-up. We know that the Fusion series will present us with certain protections against exploitation, but this level has no such protections and is effectively a standard stack buffer overflow exploit. Starting with "main," we can see the standard daemon server setup that we are familiar with from the Protostar Net and Final levels. It calls only one function that we are concerned with: "parse_http_request." This function first declares a char buffer and two char pointers, then prints the address of the buffer. Next, it reads our input via " read ," and compares the first 4 characters to "GET ", erroring out if the compare returns a nonzero integer, meaning that the strings are not equivalent per the "memcmp" man page . Next, it checks out input after the first four "GET " characters to see if we've supplied an additional space, indicating that we've p...

Prev: 0x15 - Final0 This level is a remote format string exploit with a little twist - the vulnerability here will be much less obvious than in prior format string exploit exercises. Let's start by analyzing the source code. First, there are no surprises in "main," and we can see that it operates in the same way as before. This time, however, it calls two new functions: "getipport" and "parser." "getipport" uses the "getpeername" function to obtain our IP address and port, and then store those via " sprintf " into a formatted string within the 64-byte "hostname" buffer. Then, "parser" comes in to read our input in a forever loop via fgets , printing "[final1] $" each time and removing a couple whitespace characters via a custom "trim" function before actually parsing our input. If we enter "username " and then some other input, that additional input is copied i...