Protostar Stack3 Walkthrough

Walkthrough

Hello Guyz, Today, Here I am going to share with you my walkthrough exploitation research, tools Stuff and Exploit That Can help you in completing Exploit-Exercise Protostar Level.

Basically, My Goal is Just to provide you hints, so that you can Understand all concepts on your own.

But If still after reading this hint post, you are not understanding concepts clearly and want to see Exploit Code And Other Details then you can visit my blog posts. click here

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  volatile int (*fp)();
  char buffer[64];

  fp = 0;

  gets(buffer);

  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
}

Hints

Stack3 looks at environment variables, and how they can be set, 
and overwriting function pointers stored on the stack 
(as a prelude to overwriting the saved EIP)


Hints

both gdb and objdump is your friend you determining where the win() function lies in memory.
This level is at /opt/protostar/bin/stack3

Disassembly Of Code

Dump of assembler code for function main:
                                  
0x08048438 <main+0>:	push   ebp  ----------------------
0x08048439 <main+1>:	mov    ebp,esp                   |----> Initialising FUnction
0x0804843b <main+3>:	and    esp,0xfffffff0  -----------
0x0804843e <main+6>:	sub    esp,0x60      -----------------> Creating Space In Stack 60 [hex]        
0x08048441 <main+9>:	mov    DWORD PTR [esp+0x5c],0x0  -----> Update Value 0 of Variable Modified   [INjectable Area]
0x08048449 <main+17>:	lea    eax,[esp+0x1c] ---------  -----> LOad Variable Buffer Starting Point Address Into EAX 1c [hex]
0x0804844d <main+21>:	mov    DWORD PTR [esp],eax      |-----> Initialise Get Function Call
0x08048450 <main+24>:	call   0x8048330 <gets@plt> -----   
0x08048455 <main+29>:	cmp    DWORD PTR [esp+0x5c],0x0 ------> Compare Modified Variable With Zero
0x0804845a <main+34>:	je     0x8048477 <main+63>      ------> Jump When Equal
0x0804845c <main+36>:	mov    eax,0x8048560            ------> Load this Value Into EAX Registers
0x08048461 <main+41>:	mov    edx,DWORD PTR [esp+0x5c]
0x08048465 <main+45>:	mov    DWORD PTR [esp+0x4],edx
0x08048469 <main+49>:	mov    DWORD PTR [esp],eax
0x0804846c <main+52>:	call   0x8048350 <printf@plt>
0x08048471 <main+57>:	mov    eax,DWORD PTR [esp+0x5c]
0x08048475 <main+61>:	call   eax
0x08048477 <main+63>:	leave  
0x08048478 <main+64>:	ret 

Stack Status

0                        28                                                      92             96
 ===============================================================================================
        Other Things     |  Bufffer this Area                                    | point to win | 
 ===============================================================================================
                                                                                       ^
                                                                                    Its Working Because Of fp() incorrect code

For Working Exploit Script And Other Complete Details. Check here


Thanks For Visiting

Have a nice day.

Written on May 11, 2018