Protostar Stack4 Walkthrough

Walkthrough

Hello Guyz, Today, Here I am going to share with you my walkthrough exploitation research, tools Stuff and Exploit That Can help you in completing Exploit-Exercise Protostar Level.

Basically, My Goal is Just to provide you hints, so that you can Understand all concepts on your own.

But If still after reading this hint post, you are not understanding concepts clearly and want to see Exploit Code And Other Details then you can visit my blog posts. click here

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

Hints

Stack4 takes a look at overwriting saved EIP and standard buffer overflows.

This level is at /opt/protostar/bin/stack4

Hints

A variety of introductory papers into buffer overflows may help.
gdb lets you do “run < input”
EIP is not directly after the end of buffer, compiler padding can also increase the size.

Disassembly Of Code

gdb-peda$ pdisass main
Dump of assembler code for function main:
   0x08048408 <+0>:	push   ebp        -------------------
   0x08048409 <+1>:	mov    ebp,esp                      | --> Initialise Function
   0x0804840b <+3>:	and    esp,0xfffffff0  --------------
   0x0804840e <+6>:	sub    esp,0x50  -----------------------> Creating Space in Stack 50 [hex]
   0x08048411 <+9>:	lea    eax,[esp+0x10] ------------------> Load Variable Buffer Starting POint Address Into EAX 0x10 [hex]
   0x08048415 <+13>:	mov    DWORD PTR [esp],eax ---------> Place EAX at the top of stack
   0x08048418 <+16>:	call   0x804830c <gets@plt> --------> Call Get Function
=> 0x0804841d <+21>:	leave  -----------------------------> Reverse Of Initialise FUnction
   0x0804841e <+22>:	ret    -----------------------------> Return [Our Target is Next To This Instruction In stack] 

Stack Status

STACK


0000| 0xffffcf80 --> 0xffffcf90 ('a' <repeats 64 times>)     ----------------
0004| 0xffffcf84 --> 0x2f ('/')                                              |---->  Other Arguments (Paddings)
0008| 0xffffcf88 --> 0xf7debdc8 --> 0x2b76 ('v+')                            |
0012| 0xffffcf8c --> 0xf7fd41b0 --> 0xf7ddf000 --> 0x464c457f ---------------
0016| 0xffffcf90 ('a' <repeats 64 times>) ----         ---------------> Get FUnction Starting Point
0020| 0xffffcf94 ('a' <repeats 60 times>)     |
0024| 0xffffcf98 ('a' <repeats 56 times>)     |
0028| 0xffffcf9c ('a' <repeats 52 times>)     |
0032| 0xffffcfa0 ('a' <repeats 48 times>)     |
0036| 0xffffcfa4 ('a' <repeats 44 times>)     |
0040| 0xffffcfa8 ('a' <repeats 40 times>)     | -------------------> Buffer 64 [Decimal]
0044| 0xffffcfac ('a' <repeats 36 times>)     |
0048| 0xffffcfb0 ('a' <repeats 32 times>)     |
0052| 0xffffcfb4 ('a' <repeats 28 times>)     |
0056| 0xffffcfb8 ('a' <repeats 24 times>)     |
0060| 0xffffcfbc ('a' <repeats 20 times>)     |
0064| 0xffffcfc0 ('a' <repeats 16 times>)     |
0068| 0xffffcfc4 ('a' <repeats 12 times>)     |
0072| 0xffffcfc8 ("aaaaaaaa")                 |
0076| 0xffffcfcc ("aaaa") ---------------------
0080| 0xffffcfd0 --> 0xf7f91000 --> 0x1b1db0-----
0084| 0xffffcfd4 --> 0xf7f91000 --> 0x1b1db0-----> Padds
0088| 0xffffcfd8 --> 0x0 ------------------------> Return Value
0092| 0xffffcfdc --> 0xf7df7637 (<__libc_start_main+247>:	add    esp,0x10) <<<<------- [Injection Point]
0096| 0xffffcfe0 --> 0x1 




0         16                                      80    84    88    92     96
 ===========================================================================
  Paddings |  Bufffer this Area                    | pad | pad | EBP | RET |
 ===========================================================================

For Working Exploit Script And Other Complete Details. Check here


Thanks For Visiting

Have a nice day.

Written on May 11, 2018