Protostar

Stack Zero

Task: Modify the modified value and get it to print the message you have changed the 'modified' variable 

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}

Solution: As we can see, the size of the buffer is 64 bytes and as declared in the code, modified is right before it, so as per the assumption if we pass 64 A's and few B's to the program's input we would be able to modify the value of the variable. We are able to do so as there are no bounds checking on the gets function while taking the input.

Stack One

Task: Modify the value of the modified variable to a specific value (0x61626364) to get the desired branch of the if statements to run.

Solution: As we can see in this problem as well, the variable modified is just after the buffer of size 64 bytes. So we'll follow the same technique as followed in the Stack Zero problem and pass 64 bytes of A's and then pass the actual value that is required i.e. 0x61626364. If you look around you'll realise that the value 0x61626364 is nothing but abcd, but as the processors work with little endian format, we'll have to pass dcba to the program to get the desired output.

Stack Two

Task: Same as the last two, modify the modified variable to the desired value but this time using the Environment variable as an input.

Solution: As we can see in the code, the value of GREENIE environment variable is being stored in the variable and then that variable is copied to the buffer without any bounds check. As pointed out earlier, this behaviour is dangerous and as exploited earlier, will be exploited here as well, but this time input will be set via the GREENIE environment variable.

Stack Three

Task: Modify the control flow by mangling with the function pointer fp, which is called after getting the input from the user in the buffer.

Solution: First we need to figure out, where is the function WIN located in the address space. So for that we'll use GDB.

As we can see function win starts at 0x08048424. So we have to make our code jump to that address i.e. overwrite EIP with that value. As we can see in the code, that fp is being called after the input has been stored in the buffer. We can exploit the unbounded copy of buffer and overwrite the fp variable with value of our choice and call the win function.

Stack Four

Task: Redirect code flow to the WIN function.

Solution

Find the address of the function, we want to jump to.

We'll now run the final exploit

Stack Five

Task: Exploit the standard buffer-overflow and execute the shellcode using ret2libc, or ROP. We'll be using ret2libC.

Solution

  • Find the offset for EIP as done earlier and it turned out to be 76.

  • We'll find the address of the functions (system and exit) and a string /bin/sh.

  • Hijack the EIP and run the system with the /bin/sh parameter and get execution.

Assembling the exploit

Stack Six

Task: Restrictions on return address, get shell as root.

Solution

Solution for this is exactly same as the 5th challenge, except the EIP offset i.e. 80 in this case, so we'll directly skip to running the exploit.

Stack Seven

Task: More restrictions on the return address, get root shell.

Solution

  • As we can see, any return address starting with 0xb will shut our exploitation down, so we'll have to circumvent this.

  • We'll be using 1 ROP gadget to pivot stack and get the execution flowing as normal, as we have done in the previous challenges.

The offset is still 80, so we'll proceed further and find our 1 ROP gadget to pivot back to the buffer.

Assembling the exploit

PreviousExploit EducationNextRop Emporium

Last updated

Was this helpful?