Protostar Stack6 Walkthrough Using Duplicate Code Execution


Hello Guyz, Today, Here I am going to share with you my walkthrough exploitation research, tools Stuff and Exploit That Can help you in completing Exploit-Exercise Protostar Level.

Basically, My Goal is Just to provide you hints, so that you can Understand all concepts on your own.

But If still after reading this hint post, you are not understanding concepts clearly and want to see Exploit Code And Other Details then you can visit my blog posts. click here

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);


  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
      printf("bzzzt (%p)\n", ret);

  printf("got path %s\n", buffer);

int main(int argc, char **argv)



Stack6 looks at what happens when you have restrictions on the return address.

This level can be done in a couple of ways, 
such as finding the duplicate of the payload (objdump -s) will help with this), or ret2libc, or even return orientated programming.

It is strongly suggested you experiment with multiple ways of getting your code to execute here.

This level is at /opt/protostar/bin/stack6

Disassembly Of Code

0x08048484 <getpath+0>: push   ebp
0x08048485 <getpath+1>: mov    ebp,esp
0x08048487 <getpath+3>: sub    esp,0x68
0x0804848a <getpath+6>: mov    eax,0x80485d0
0x0804848f <getpath+11>: mov    DWORD PTR [esp],eax
0x08048492 <getpath+14>: call   0x80483c0 <printf@plt>
0x08048497 <getpath+19>: mov    eax,ds:0x8049720
0x0804849c <getpath+24>: mov    DWORD PTR [esp],eax
0x0804849f <getpath+27>: call   0x80483b0 <fflush@plt>
0x080484a4 <getpath+32>: lea    eax,[ebp-0x4c]
0x080484a7 <getpath+35>: mov    DWORD PTR [esp],eax
0x080484aa <getpath+38>: call   0x8048380 <gets@plt>
0x080484af <getpath+43>: mov    eax,DWORD PTR [ebp+0x4]
0x080484b2 <getpath+46>: mov    DWORD PTR [ebp-0xc],eax
0x080484b5 <getpath+49>: mov    eax,DWORD PTR [ebp-0xc]
0x080484b8 <getpath+52>: and    eax,0xbf000000
0x080484bd <getpath+57>: cmp    eax,0xbf000000
0x080484c2 <getpath+62>: jne    0x80484e4 <getpath+96>
0x080484c4 <getpath+64>: mov    eax,0x80485e4
0x080484c9 <getpath+69>: mov    edx,DWORD PTR [ebp-0xc]
0x080484cc <getpath+72>: mov    DWORD PTR [esp+0x4],edx
0x080484d0 <getpath+76>: mov    DWORD PTR [esp],eax
0x080484d3 <getpath+79>: call   0x80483c0 <printf@plt>
0x080484d8 <getpath+84>: mov    DWORD PTR [esp],0x1
0x080484df <getpath+91>: call   0x80483a0 <_exit@plt>
0x080484e4 <getpath+96>: mov    eax,0x80485f0
0x080484e9 <getpath+101>: lea    edx,[ebp-0x4c]
0x080484ec <getpath+104>: mov    DWORD PTR [esp+0x4],edx
0x080484f0 <getpath+108>: mov    DWORD PTR [esp],eax
0x080484f3 <getpath+111>: call   0x80483c0 <printf@plt>
0x080484f8 <getpath+116>: leave  
0x080484f9 <getpath+117>: ret 

Useful Commands

~:# ulimit -c unlimited

and Crash App with Overflow.

Use objdump -s "core.crash.file"

For Working Exploit Script And Other Complete Details. Check here

Thanks For Visiting

Have a nice day.

Written on May 11, 2018