Protostar Stack7 Walkthrough


Hello Guyz, Today, Here I am going to share with you my walkthrough exploitation research, tools Stuff and Exploit That Can help you in completing Exploit-Exercise Protostar Level.

Basically, My Goal is Just to provide you hints, so that you can Understand all concepts on your own.

But If still after reading this hint post, you are not understanding concepts clearly and want to see Exploit Code And Other Details then you can visit my blog posts. click here

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

char *getpath()
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);


  ret = __builtin_return_address(0);

  if((ret & 0xb0000000) == 0xb0000000) {
      printf("bzzzt (%p)\n", ret);

  printf("got path %s\n", buffer);
  return strdup(buffer);

int main(int argc, char **argv)



Stack6 introduces return to .text to gain code execution.

The metasploit tool “msfelfscan” can make searching for suitable instructions very easy, otherwise looking through objdump output will suffice.

This level is at /opt/protostar/bin/stack7


Well, Its very unique case. here, as we know that we can't overwrite return address starts from 0xb.......
So, what we will do is, find a special and suitable instruction from source and points our EIP to it....

For Example:
          At the end of getpath function, To execute strdup operation our system will copy all codes into eax
registers. so, we just need to find call eax instruction in source code and then point our eip to it.

To Find Instruction Use:

objdump -S stack7 | grep "call"

0         42        46          76         80     84
|  'a'*42 | '\xcc'*4 | '\x90'*30 | '\xcc'*4 | EIP |

For Working Exploit Script And Other Complete Details. Check here

Thanks For Visiting

Have a nice day.

Written on May 11, 2018