Hello Guyz,
In This Post, I am going to show you how we can win protostar stack1 level and in today's tutorial, our main focus will be on variable overwriting. we are going to learn a simple concept/technique that can overwrite the values of any variable Onto Stack during running state.
This level is at /opt/protostar/bin/stack1
If you are unfamiliar with the hexadecimal being displayed, “man ascii” is your readers.
Protostar is little endian
Before Start, Let's Try To Understand Situation Onto The Stack
Very Easy! Hahaha.
In This Post, I am going to show you how we can win protostar stack1 level and in today's tutorial, our main focus will be on variable overwriting. we are going to learn a simple concept/technique that can overwrite the values of any variable Onto Stack during running state.
Before Starting This Walkthrough. I want to highlight Few Points.
- I'm not the creator of protostar war game. I am just a player.
- Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
Source Code :
1 | #include <stdlib.h> |
Hint Provided By Exploit-Exercise.
This level looks at the concept of modifying variables to specific values in the program, and how the variables are laid out in memory.This level is at /opt/protostar/bin/stack1
If you are unfamiliar with the hexadecimal being displayed, “man ascii” is your readers.
Protostar is little endian
Solution:
Simply We Just Need To Overwrite the value of modified variable located Onto the Stack.Before Start, Let's Try To Understand Situation Onto The Stack
0 28 92 96
============================================================================================
Other Things | Injectable Area | modified |
============================================================================================
Disassembly Of Codes
0x08048464 <+0>: push ebp
0x08048465 <+1>: mov ebp,esp
0x08048467 <+3>: and esp,0xfffffff0
0x0804846a <+6>: sub esp,0x60 << ====== 96 Bits Buffer Created
0x0804846d <+9>: cmp DWORD PTR [ebp+0x8],0x1 << ====== Comparing Args Variable with 1
0x08048471 <+13>: jne 0x8048487 <main+35> << ====== Jump Condition
0x08048473 <+15>: mov DWORD PTR [esp+0x4],0x80485a0
0x0804847b <+23>: mov DWORD PTR [esp],0x1
0x08048482 <+30>: call 0x8048388 <errx@plt>
0x08048487 <+35>: mov DWORD PTR [esp+0x5c],0x0 << ===== Variable Value [modified variable]
0x0804848f <+43>: mov eax,DWORD PTR [ebp+0xc] << ===== BUffer Starting Address To Insert String Through Strcpy
0x08048492 <+46>: add eax,0x4 << ===== Add 4 To EAX
0x08048495 <+49>: mov eax,DWORD PTR [eax] << ===== Loading Data From EAX mapped
0x08048497 <+51>: mov DWORD PTR [esp+0x4],eax << ===== Storing Current EAX Value Into Stack
0x0804849b <+55>: lea eax,[esp+0x1c] << ===== Starting POint Address To Insert Data Into Stack Buffer
0x0804849f <+59>: mov DWORD PTR [esp],eax
0x080484a2 <+62>: call 0x8048368 <strcpy@plt>
0x080484a7 <+67>: mov eax,DWORD PTR [esp+0x5c]
0x080484ab <+71>: cmp eax,0x61626364
0x080484b0 <+76>: jne 0x80484c0 <main+92>
0x080484b2 <+78>: mov DWORD PTR [esp],0x80485bc
0x080484b9 <+85>: call 0x8048398 <puts@plt>
0x080484be <+90>: jmp 0x80484d5 <main+113>
0x080484c0 <+92>: mov edx,DWORD PTR [esp+0x5c]
0x080484c4 <+96>: mov eax,0x80485f3
0x080484c9 <+101>: mov DWORD PTR [esp+0x4],edx
0x080484cd <+105>: mov DWORD PTR [esp],eax
0x080484d0 <+108>: call 0x8048378 <printf@plt>
0x080484d5 <+113>: leave
0x080484d6 <+114>: ret
Exploit
1 | #!/usr/bin/python |
Very Easy! Hahaha.