Protostar Exploitation Challenges Stack3 Solution

Introduction

This level is about the same as the others. The only difference is that instead of overwriting a regular variable you overwrite a function pointer. When the pointer is called, the program must instead call your overwritten function pointer.

Exploitation

The hint tells you to use gdb or objdump. Using objdump you want to take a look at the symbol table, which you do with the -t option. You can do this with objdump -t stack3 | grep win.

user@protostar:/opt/protostar/bin$ objdump -t stack3 | grep win
08048424 g F .text 00000014 win

This tells us that the symbol for win is at 0x08048424. To use GDB just load stack3 with GDB and get the function pointer for win:

user@protostar:/opt/protostar/bin$ gdb stack3
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type “show copying”
and “show warranty” for details.
This GDB was configured as “i486-linux-gnu”.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>…
Reading symbols from /opt/protostar/bin/stack3…done.
(gdb) p win
$1 = {void (void)} 0x8048424 <win>

The rest of the exploit is exactly the same as we saw before:

Capture

Leave a Reply