Really enjoyed Challenge 5 on integer overflow and Challenge 15 on brute forcing stack canaries!
Challenge 5 was quite realistic as I happened to read a write-up that seems to have the same logic flaw. This was the write-up I was looking at that I find particularly relevant:
pwn4fun Spring 2014 - Safari - Part I
Back in March this year I entered the pwn4fun hacking contest at CanSecWest […
Calculations were done twice using variables of different size (eg short vs integer vs double) which led to an overflow.
Summary of my learning points:
- Don’t assume (Mistake I made was I tested max value of signed 32int = 2147483647 and subsequently went to test negative value. Never test max value 2147483647+1 etc)
- In gdb, a read with very large buffer will fail!
- Pay attention to the use of registers. One use eax, one use rax = fishy.
- Forking child process allows canaries brute forcing
And here are my solutions: