Protostar exploit exercises – stack0 November 26, 2016
Protostar

This is the link to the Protostar exercises.

Let us load the stack0 into gdb, change into INTEL mode and disassemble the main function.

$ gdb /opt/protostar/bin/stack0
(gdb) set disassembly-flavor intel
(gdb) disassemble main

0x080483f4 :    push   ebp
0x080483f5 :    mov    ebp,esp
0x080483f7 :    and    esp,0xfffffff0
0x080483fa :    sub    esp,0x60
0x080483fd :    mov    DWORD PTR [esp+0x5c],0x0
0x08048405 :   lea    eax,[esp+0x1c]
0x08048409 :   mov    DWORD PTR [esp],eax
0x0804840c :   call   0x804830c 
0x08048411 :   mov    eax,DWORD PTR [esp+0x5c]
0x08048415 :   test   eax,eax
0x08048417 :   je     0x8048427 
0x08048419 :   mov    DWORD PTR [esp],0x8048500
0x08048420 :   call   0x804832c 
0x08048425 :   jmp    0x8048433 
0x08048427 :   mov    DWORD PTR [esp],0x8048529
0x0804842e :   call   0x804832c 
0x08048433 :   leave
0x08048434 :   ret

Line 4 allocates space for the variables modified and buffer.

In line 5 the variable modified is set to 0. The address of this variable is ESP+0x5c. Since it is an integer, the size is 4 bytes.

In line 6-7 the address of buffer is saved on the top of the stack, so that when the function gets is called in the next line, this address is passed to this function. The address of this variable is ESP+0x1c.

The stack looks like this:

ESP+0x00:———-Top of the stack
ESP+0x1c:———-buffer
ESP+0x5c:———-modified
ESP+0x60:———-EBP
ESP+0x64:———-RET address

The strcpy method copies the passed string from the address of buffer. In order to overwrite the modified variable, we have to pass 64 characters and 4 more characters, which will the new value of the modified variable. I passed 64 A and 4 B character:

screen-shot-2016-11-26-at-18-27-41