Protostar/Final 0

If you get stuck, you can watch the solution and explanation here:

Writing an exploit in python to solve final0 from exploit-exercises protostar.

This level combines a stack overflow and network programming for a remote overflow.

depending on where you are returning to, you may wish to use a toupper() proof shellcode.
Core files will be in /tmp.

This level is at /opt/protostar/bin/final0


#include "../common/common.c"

#define NAME "final0"
#define UID 0
#define GID 0
#define PORT 2995

 * Read the username in from the network

char *get_username()
  char buffer[512];
  char *q;
  int i;

  memset(buffer, 0, sizeof(buffer));

  /* Strip off trailing new line characters */
  q = strchr(buffer, '\n');
  if(q) *q = 0;
  q = strchr(buffer, '\r');
  if(q) *q = 0;

  /* Convert to lower case */
  for(i = 0; i < strlen(buffer); i++) {
      buffer[i] = toupper(buffer[i]);

  /* Duplicate the string and return it */
  return strdup(buffer);

int main(int argc, char **argv, char **envp)
  int fd;
  char *username;

  /* Run the process as a daemon */
  background_process(NAME, UID, GID); 
  /* Wait for socket activity and return */
  fd = serve_forever(PORT);

  /* Set the client socket to STDIN, STDOUT, and STDERR */

  username = get_username();
  printf("No such user %s\n", username);

See also

Exploring exploit-exercises protostar final0 level, triggering a buffer overflow and analysing core dumps generated by a segfault signal.

We will learn how to daemonize a process and see how a server handles connections

This is a mirror. Copyright and original can be found here: