Category 1: bug hunting (sources and binaries at http://swarm.cs.pub.ro/~rcaragea/bug_hunt.zip )

• bitcount
  • The program has three methods of computing set bits, are they equivalent? Fix the bugs and end all doubts.
• index
  • It shouldn't be possible to call 'good_func()' but it is. Fix it.
• string_lord
  • Find out the bugs with calc_size(). See what happens with inputs like:
    • 1 aaaaaaaaaaaaaa
    • 128 aaaa

Category 2: address space recap

• gatekeeper_01 Login password: '4321'
• gatekeeper_02 Login password: '657a609fb15bfb8aa11d4566143e11eb'
• gatekeeper_03 Login password: 'd7e3fb11c279ca1eb7df1039880f20f5'
  • Hint: what happens before main() is called?

Category 3: memory corruption

• randmin_01 Login password: '1234'
• randmin_02 Login password: '2c9788a87a7acb45cdb145f1a838af40'
• randmin_03: You need to defeat NX by returning to (hijacking control flow into) a libc function. Login password: 'd1c740616eea5ce69d53a4493cf15fa7'
• randmin_04: Same as above but this task does not call system anywhere.
• randmin_05: You need to defeat NX + ASLR
  • To solve this task and the next ones you have to activate ASLR. There is a shortcut provided for this: just run 'aslr_online' on the lab machines
  • Why doesn't the previous solution work this time?
• randmin_06: You need to defeat NX + ASLR + PIE
• randmin_07 (Bonus) : You need to defeat NX + ASLR + PIE + SSP