Level 1: Integer overflow
Level 2: Stack overflow
Level 3: Array overflow
Level 4: Off by one
Level 5: Stack cookie
Level 6: Format string
Level 7: Heap overflow
Level 8: Structure redirection / Type confusion
Level 9: Zero pointers
Level 10: Command injection
Level 11: Path Traversal
Level 12: Return oriented programming (ROP)
Level 13: Use-after-free
Level 14: Jump oriented programming (JOP)
- Install needed tools on host (Ubuntu)
~$ cd exploit_me
~/exploit_me $ ./scripts/setup.sh
- Some problems you may meet and their corresponding solutions:
(1) pip or pip3 command not found: sudo apt-get update
(2) Permission denied: sudo chmod +x exploit
(3) ...
-
See hints.txt for a start.
-
For trying if it works : *** 32-Bit:
$ ./bin/exploit
*** 64-Bit:
$ ./bin/exploit64
-
Example debugging session:
$ sudo ./scripts/disableaslr.sh
(Disable aslr, don't run if you want more fun) (Path dir1/dir2 needed in current exploit directory for Path Traversal vulnerability)
*** 32-Bit:
$ ./bin/arm exploit [levelpassword] [options] & $ gdb-multiarch ./exploit pwndbg> set architecture arm
instead you can also add architecture in .gdbinit as "set architecture arm"
*** 64-Bit:
$ ./arm64 exploit64 [levelpassword] [options] & $ gdb-multiarch ./exploit64 pwndbg> set architecture aarch64
instead you can also add architecture in .gdbinit as "set architecture aarch64"
*** Example .gdbinit
set endian little #set architecture arm #set architecture aarch64 target remote :1234
-
GDB Basics:
Use "si" to step into functions or "so" to step over functions, "info functions" to print all functions, "p [function]" to print function address and information, if symbols exist "b [function]" (Example: "b main" to set a breakpoint and "b *0x1234" to set a breakpoint at addr 0x1234, "c" to continue program, "x/[dwords]x" to print offsets, for example "x/4x 0x1234" and "x/[dwords]x $reg" to print register contents, for example "x/4x $sp". Using pwndbg, you can use "rop" to list rop gadgets, for example "rop --grep 'pop {r3'" to list gadgets which pop values from stack to r3. See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md for more details !
-
After you've exploited correctly, you will see the password for the next level. So if level2 password would be "Level2": *** 32-Bit:
$ ./bin/exploit Level2
*** 64-Bit:
$ ./bin/exploit64 Level2