Protostar Stack2 Walkthrough

Walkthrough

Hello Guyz, Today, Here I am going to share with you my walkthrough exploitation research, tools Stuff and Exploit That Can help you in completing Exploit-Exercise Protostar Level.

Basically, My Goal is Just to provide you hints, so that you can Understand all concepts on your own.

But If still after reading this hint post, you are not understanding concepts clearly and want to see Exploit Code And Other Details then you can visit my blog posts. click here

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }

}

Hints

Stack2 looks at environment variables, and how they can be set.

This level is at /opt/protostar/bin/stack2

Disassembly Of Code

Dump of assembler code for function main:
   0x08048494 <+0>:	push   ebp
   0x08048495 <+1>:	mov    ebp,esp
   0x08048497 <+3>:	and    esp,0xfffffff0
   0x0804849a <+6>:	sub    esp,0x60                            << ==== 96 Bits Buffer Created
   0x0804849d <+9>:	mov    DWORD PTR [esp],0x80485e0           << ==== Moving Something Into Stack Top
   0x080484a4 <+16>:	call   0x804837c <getenv@plt>          << ==== Call GetEnvironment Function
   0x080484a9 <+21>:	mov    DWORD PTR [esp+0x5c],eax        << ==== Load Number Of GREENIE variable found
   0x080484ad <+25>:	cmp    DWORD PTR [esp+0x5c],0x0        << ==== Comparing GREENIE with number
   0x080484b2 <+30>:	jne    0x80484c8 <main+52>             << ==== Jump Condition
   0x080484b4 <+32>:	mov    DWORD PTR [esp+0x4],0x80485e8
   0x080484bc <+40>:	mov    DWORD PTR [esp],0x1
   0x080484c3 <+47>:	call   0x80483bc <errx@plt>
   0x080484c8 <+52>:	mov    DWORD PTR [esp+0x58],0x0        << ==== assign 0 into modified variable
   0x080484d0 <+60>:	mov    eax,DWORD PTR [esp+0x5c]        << ==== Copy GREENIE variable from stack To EAX
   0x080484d4 <+64>:	mov    DWORD PTR [esp+0x4],eax         << ==== Copy GREENIE address from EAX to Top of Stack
   0x080484d8 <+68>:	lea    eax,[esp+0x18]                  << ==== LOad Starting Address Of Stack To Update buffer variable
   0x080484dc <+72>:	mov    DWORD PTR [esp],eax             << ==== Copy Starting Buffer Address To Top Of Stack
   0x080484df <+75>:	call   0x804839c <strcpy@plt>          << ==== call strcpy
   0x080484e4 <+80>:	mov    eax,DWORD PTR [esp+0x58]
   0x080484e8 <+84>:	cmp    eax,0xd0a0d0a
   0x080484ed <+89>:	jne    0x80484fd <main+105>
   0x080484ef <+91>:	mov    DWORD PTR [esp],0x8048618
   0x080484f6 <+98>:	call   0x80483cc <puts@plt>
   0x080484fb <+103>:	jmp    0x8048512 <main+126>
   0x080484fd <+105>:	mov    edx,DWORD PTR [esp+0x58]
   0x08048501 <+109>:	mov    eax,0x8048641
   0x08048506 <+114>:	mov    DWORD PTR [esp+0x4],edx
   0x0804850a <+118>:	mov    DWORD PTR [esp],eax
   0x0804850d <+121>:	call   0x80483ac <printf@plt>
   0x08048512 <+126>:	leave  
   0x08048513 <+127>:	ret 

Stack Status

0                        28                                                      92        96
 ============================================================================================
        Other Things     |  Injectable Area                                      | modified | 
 ============================================================================================

For Working Exploit Script And Other Complete Details. Check here


Thanks For Visiting

Have a nice day.

Written on May 11, 2018