Protostar Stack6 Walkthrough Using Return To Libc

Walkthrough

Hello Guyz, Today, Here I am going to share with you my walkthrough exploitation research, tools Stuff and Exploit That Can help you in completing Exploit-Exercise Protostar Level.

Basically, My Goal is Just to provide you hints, so that you can Understand all concepts on your own.

But If still after reading this hint post, you are not understanding concepts clearly and want to see Exploit Code And Other Details then you can visit my blog posts. click here

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();



}

Hints

Stack6 looks at what happens when you have restrictions on the return address.

This level can be done in a couple of ways, 
such as finding the duplicate of the payload (objdump -s) will help with this), or ret2libc, or even return orientated programming.

It is strongly suggested you experiment with multiple ways of getting your code to execute here.

This level is at /opt/protostar/bin/stack6

Disassembly Of Code

Disassembly :
0x08048484 <getpath+0>: push   ebp
0x08048485 <getpath+1>: mov    ebp,esp
0x08048487 <getpath+3>: sub    esp,0x68                     << ==== Create Buffer Space
0x0804848a <getpath+6>: mov    eax,0x80485d0                << ====  Load Printing Text On EAX
0x0804848f <getpath+11>: mov    DWORD PTR [esp],eax      << ==== Place it at the Top of Stack
0x08048492 <getpath+14>: call   0x80483c0 <printf@plt>   << ==== Call Print Function
0x08048497 <getpath+19>: mov    eax,ds:0x8049720         << ==== Load Value On Eax
0x0804849c <getpath+24>: mov    DWORD PTR [esp],eax      << ==== Place it at the Top Of Stack
0x0804849f <getpath+27>: call   0x80483b0 <fflush@plt>   << ==== Call Flush FUnction
0x080484a4 <getpath+32>: lea    eax,[ebp-0x4c]           << ==== Load Starting Address Of Bufer Variable 
0x080484a7 <getpath+35>: mov    DWORD PTR [esp],eax      << ==== Place it at the Top of Stack
0x080484aa <getpath+38>: call   0x8048380 <gets@plt>     << ==== Call Get Function
0x080484af <getpath+43>: mov    eax,DWORD PTR [ebp+0x4]  << ==== Load Return address Of Current Allocated stack queue Onto EAX
0x080484b2 <getpath+46>: mov    DWORD PTR [ebp-0xc],eax  << ==== Move EAX return address to variable space on stack
0x080484b5 <getpath+49>: mov    eax,DWORD PTR [ebp-0xc]  << ==== Load Return address of current allocated stack queue Onto EAX
0x080484b8 <getpath+52>: and    eax,0xbf000000           << ==== and function 
0x080484bd <getpath+57>: cmp    eax,0xbf000000           << ==== Compare EAX and Value
0x080484c2 <getpath+62>: jne    0x80484e4 <getpath+96>   << ==== Jump WHen Not Equal
0x080484c4 <getpath+64>: mov    eax,0x80485e4            << ==== Load Printable String Starting Address at EAX
0x080484c9 <getpath+69>: mov    edx,DWORD PTR [ebp-0xc]  << ==== Load RETURN address value on Edx
0x080484cc <getpath+72>: mov    DWORD PTR [esp+0x4],edx  << ==== Load EDX value at the top second place of stack
0x080484d0 <getpath+76>: mov    DWORD PTR [esp],eax      << ==== Load Eax value at the top of stack
0x080484d3 <getpath+79>: call   0x80483c0 <printf@plt>   << ==== Call Print Function
0x080484d8 <getpath+84>: mov    DWORD PTR [esp],0x1      << ==== EXit Function Argument
0x080484df <getpath+91>: call   0x80483a0 <_exit@plt>    << ==== Call Exit Function
0x080484e4 <getpath+96>: mov    eax,0x80485f0            << ==== Load Printable String Starting Address at EAX
0x080484e9 <getpath+101>: lea    edx,[ebp-0x4c]           << ==== Load Starting Address Of Bufer Variable 
0x080484ec <getpath+104>: mov    DWORD PTR [esp+0x4],edx  << ==== Load EDX value at the top second place of stack
0x080484f0 <getpath+108>: mov    DWORD PTR [esp],eax      << ==== Load Eax value at the top of stack
0x080484f3 <getpath+111>: call   0x80483c0 <printf@plt>   << ==== Call Print Function
0x080484f8 <getpath+116>: leave                           << ==== Reverse Of (push   ebp; mov    ebp,esp)
0x080484f9 <getpath+117>: ret                             << ==== Return Value

Stack Status

Concept:


 0                  28                                                     104
 =============================================================================
 | Other Stuff      |         Focus Here (Get Will Inject here)             |
==============================================================================

For Working Exploit Script And Other Complete Details. Check here


Thanks For Visiting

Have a nice day.

Written on May 11, 2018