You can find the protostar there > Protostar
We have the source code of the binary :
1 |
|
We have a variable called buffer
and has 64bytes buffer. Also we have another variable called modified
and has 0
value.
Then we have the vulnerable gets
function.
gets
doesn’t check while getting bytes.
Then we have an if statement that checks if the value of modified
is not 0
. So we have to change the value of that variable.
Let’s fire up gdb
.
1 |
|
We can see there the vulnerable gets()
function :
1 |
|
Let’s add a breakpoint
after the gets()
function & execute it.
1 |
|
Let’s check now the ESP
register.
1 |
|
We can see this 0x41414141
digits in memory. 0x41 = A
1 |
|
Also we can see 0x00000000
value, that’s probably the modified = 0
variable.
Now let’s input more than 64bytes.
1 |
|
We can see memory is now full of our 0x41 = A
and the 0x00000000
value, now is overwritten with single 0x41 value, that means we got the flag.
1 |
|
Let’s write an exploit now with pwntools
.
1 |
|
1 |
|
=