środa, 7 sierpnia 2019

Protostar CTF - stack7

Today we will try to solve the last part of the Protostar CTF related to stack overflows - stack7.
Here we go...
This time we will start here:


Vulnerable source code is known, with gets you should be already familiar (after reading this book;)). So we can try to takeover the program's flow.

Let's run stack7 in gdb (just like we did it last time). We should be here:


Good. Checking getpath():

 
Let's set a breakpoint in the end of getpath() function - on ret address - 0x08048544:


Now we will switch to the shell from gdb to prepare a payload-file:


So far, so good. :) Checking ESP:


Accorgin to the source our buffer is 64b long. Let's modify our payload-file to make it larger:


Looks better now. ;) Let's try to modify it a little bit more:


At this stage I decide to check for pop-pop-ret instruction(s). To do that I used:


Good. We will need that value later.



Let's modify our poc-payload:



Now we need to store the shellcode somewhere in the memory. I used OS environment variable to do that - SCODE:


To get the address of the variable I used simple program from old tutorials - get_sp.c ;)



For now our poc-payload looks like this:



We are ready to check it:


Now we are ready to move to the next case... :)

See you soon!


Cheers






2 komentarze:

  1. How exactly are you bypassing the return address check at line 17? Wasn't it meant to be a ret2libc exploit?

    OdpowiedzUsuń
    Odpowiedzi
    1. Sorry to disappoint you :| I just changed proposed 0xb... to something else (which was the place with the shellcode).

      Usuń