This level looks at the concept of modifying variables to specific values in the program, and how the variables are laid out in memory. This level is at /opt/protostar/bin/stack1
Hints
If you are unfamiliar with the hexadecimal being displayed, “man ascii” is your friend
Protostar is little endian
Source code
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argument\n");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
This program requires us to pass arguments, with argv[0] being the program name. If we don't provide an extra argument, we are asked to specify an argument.
The strcpy system call is used to read user input into the buffer.
We can see that the characters are read from argv[1] and copied to the buffer.
It is better that the gets syscall but it still has it's own problems.
CAVEATS
The strings src and dst may not overlap.
If the destination buffer is not large enough, the behavior is
undefined.
So the strcpy syscall stores characters past the end of the buffer. This essentially breaks the limit set on the buffer which means we can input more than 64 bytes.
This is the vulnerability that we have to exploit.
But before that let's go through the rest of the code.
There is an if statement which checks if the value of modified in not equal to 0x61626364. If it is not equal to 0, it prints out a string else it prompts us to try again.
We have to overwrite the modified variable using a buffer overflow. For that we have have to know where the modified variable is located.
