Protostar Stack1 Walkthrough

Walkthrough

Hello Guyz, Today, Here I am going to share with you my walkthrough exploitation research, tools Stuff and Exploit That Can help you in completing Exploit-Exercise Protostar Level.

Basically, My Goal is Just to provide you hints, so that you can Understand all concepts on your own.

But If still after reading this hint post, you are not understanding concepts clearly and want to see Exploit Code And Other Details then you can visit my blog posts. click here

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  if(argc == 1) {
      errx(1, "please specify an argument\n");
  }

  modified = 0;
  strcpy(buffer, argv[1]);

  if(modified == 0x61626364) {
      printf("you have correctly got the variable to the right value\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
}

Hints

This level looks at the concept of modifying variables to specific values in the program, and how the variables are laid out in memory.

This level is at /opt/protostar/bin/stack1

Hints

If you are unfamiliar with the hexadecimal being displayed, “man ascii” is your friend.
Protostar is little endian

Disassembly Of Code

   0x08048464 <+0>:	push   ebp
   0x08048465 <+1>:	mov    ebp,esp
   0x08048467 <+3>:	and    esp,0xfffffff0
   0x0804846a <+6>:	sub    esp,0x60                  << ====== 96 Bits Buffer Created
   0x0804846d <+9>:	cmp    DWORD PTR [ebp+0x8],0x1   << ====== Comparing Args Variable with 1
   0x08048471 <+13>:	jne    0x8048487 <main+35>   << ====== Jump Condition
   0x08048473 <+15>:	mov    DWORD PTR [esp+0x4],0x80485a0 
   0x0804847b <+23>:	mov    DWORD PTR [esp],0x1
   0x08048482 <+30>:	call   0x8048388 <errx@plt>
   0x08048487 <+35>:	mov    DWORD PTR [esp+0x5c],0x0  << ===== Variable Value [modified variable]
   0x0804848f <+43>:	mov    eax,DWORD PTR [ebp+0xc]   << ===== BUffer Starting Address To Insert String Through Strcpy
   0x08048492 <+46>:	add    eax,0x4                  << ===== Add 4 To EAX
   0x08048495 <+49>:	mov    eax,DWORD PTR [eax]      << ===== Loading Data From EAX mapped  
   0x08048497 <+51>:	mov    DWORD PTR [esp+0x4],eax  << ===== Storing Current EAX Value Into Stack 
   0x0804849b <+55>:	lea    eax,[esp+0x1c]           << ===== Starting POint Address To Insert Data Into Stack Buffer
   0x0804849f <+59>:	mov    DWORD PTR [esp],eax        
   0x080484a2 <+62>:	call   0x8048368 <strcpy@plt>
   0x080484a7 <+67>:	mov    eax,DWORD PTR [esp+0x5c]
   0x080484ab <+71>:	cmp    eax,0x61626364
   0x080484b0 <+76>:	jne    0x80484c0 <main+92>
   0x080484b2 <+78>:	mov    DWORD PTR [esp],0x80485bc
   0x080484b9 <+85>:	call   0x8048398 <puts@plt>
   0x080484be <+90>:	jmp    0x80484d5 <main+113>
   0x080484c0 <+92>:	mov    edx,DWORD PTR [esp+0x5c]
   0x080484c4 <+96>:	mov    eax,0x80485f3
   0x080484c9 <+101>:	mov    DWORD PTR [esp+0x4],edx
   0x080484cd <+105>:	mov    DWORD PTR [esp],eax
   0x080484d0 <+108>:	call   0x8048378 <printf@plt>
   0x080484d5 <+113>:	leave  
   0x080484d6 <+114>:	ret    

Stack Status

0                        28                                                      92        96
 ============================================================================================
        Other Things     |  Injectable Area                                      | modified | 
 ============================================================================================

For Working Exploit Script And Other Complete Details. Check here


Thanks For Visiting

Have a nice day.

Written on May 11, 2018