Protostar Stack0 Walkthrough

Walkthrough

Hello Guyz, Today, Here I am going to share with you my walkthrough exploitation research, tools Stuff and Exploit That Can help you in completing Exploit-Exercise Protostar Level.

Basically, My Goal is Just to provide you hints, so that you can Understand all concepts on your own.

But If still after reading this hint post, you are not understanding concepts clearly and want to see Exploit Code And Other Details then you can visit my blog posts. click here

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}

Hints

This level introduces the concept that memory can be accessed outside of its allocated region, how the stack variables are laid out, and that modifying outside of the allocated memory can modify program execution.

This level is at /opt/protostar/bin/stack0

Disassembly Of Code

[-------------------------------------code-------------------------------------]
   0x80483f5 <main+1>:	mov    ebp,esp                          <<=== Save Base Pointer Onto Stack 
   0x80483f7 <main+3>:	and    esp,0xfffffff0
   0x80483fa <main+6>:	sub    esp,0x60                         <<=== This Instruction to Create Space of 96-Bits in Stack,
=> 0x80483fd <main+9>:	mov    DWORD PTR [esp+0x5c],0x0         <<=== Here, This Instruction is to Insert 0 Into 92-96 Bits,
   0x8048405 <main+17>:	lea    eax,[esp+0x1c]                   <<=== This Instruction is To Copy address of 28 bits starting 
                                                                      point from 96 bits Into EAX registers From There, move it 
                                                                      to stack so That it will work as a argument for get command.
   0x8048409 <main+21>:	mov    DWORD PTR [esp],eax              <<=== Copy Eax into stack
   0x804840c <main+24>:	call   0x804830c <gets@plt>             <<=== Perform Get Command
   0x8048411 <main+29>:	mov    eax,DWORD PTR [esp+0x5c]         <<=== Get Value Of 92-96 bits and move it to EAX register

Stack Status

0                        28                                                      92        96
 ============================================================================================
        Other Things     |  Buffer(64)                                           | modified | 
 ============================================================================================
                         ^                                                            ^
                         |                                                            |
                       Get Overwrites from here                                       +
                                                                                  Target Area

For Working Exploit Script And Other Complete Details. Check here


Thanks For Visiting

Have a nice day.

Written on May 11, 2018