Welcome to the first challenge from Protostar series brought to us by Exploit Exercises.
At first we are given a source code of the challenge.
As we can see, our goal is to modify the value of modified variable, which is for now equal to 0. But before the declaration of this variable, we have a character buffer 64 elements in size.
Just after these two variables, we have gets() function that will copy anything that we enter into the buffer. From man pages, we can remeber that this function should not be used.
With that information, let’s jump and ssh into the the protostar machine.
Now let’s move into the directory containing challenge binaries.
Here we can see how the program works in real sitation. It takes the input from the user, and as the modified variable was not modified, it prints Try again? string. But as we know that the buffer can contain only 64 elements, let’s print an absurd number of a letters passing them into the binary.
And here it is, we modified the modified variable. But why did it happen? We can view the binary using tools such as gdb in order to see how their internal system works.
Firstly, we have to set the assembly syntax into the Intel one, as for me it’s easier to read. After that we’re ready to analyze the assembly code of the main() function.
As we know that the buffer is getting overfilled just after the gets() function, we can put a breakpoint just after this function at 0x08048411 address. That way, the flow of the program will stop and we will be able to freely look around registers and memory used at that particular moment.
This time, I’m running the binary with small input, such that will not overfill the buffer. That will show you a difference between this run, and run using large input.
Together with the fact that the variables are stored in stack, we will have to view it. In order to do it, we can use this command x/40x $esp. Let’s analyze it. Letters x means that the output will be printed in the hexadecimal format, 40 is the number of elements that we want to print and $esp is the name of the register we want to use.
But why ESP register? Simply because it stores the address of the most recent value pushed on the stack, which in our case are the variables.
See the big number of 0x61 digits stored in memory? If we’ll take a look at the ASCII chart, we’ll know that it’s the value of the a letters, so that what we enetered. On the other hand, we can also see place where there are only 0x00 values, which will probably mean that that’s the place where our modified variable is stored.
Now we can run this binary once again, but this time with the input consisting of 65 a letters.
Here we can see that the place where 0x00 values were, now is overwritten with single 0x61 value, and since that we know it’s modified. Doing this changed the flow of the program, resulting in our success.