Today we will be beginning the Protostar writeups. This is for the first challenge Stack0.

We will begin by taking a look at the source they have provided for us.

protostack0

To succeed in this challenge we need to change the value of the "modified" variable. To do this we need to overflow into this variable to change its value. Lets take a look at this in gdb.

gdb1

If you take a look where the arrow on the left of the addresses is pointing, you will see it is pointing at a test instruction. The test instruction is comparing the same register to itself in this case at this point in execution our EAX register holds the value 0. Earlier in the main function you can see at main+9 we are moving the value 0 onto the stack. So we can use the gets() call to overwrite this value, which will lead to the modified variable's value to be greater than 0.

call
Vulnerable Call^

To overwrite the variable I used this payload.

pay

I wrote the 4 B's in there so we can see them being compared in the test instruction.

pwn

Here we can see that the variable "modified" has been overwritten by our 4 B's, and because EAX was set to the value of our variable that was overflown with B's. Our EAX register now contains BBBB or in hexadecimal 0x42424242.

k

Lets see it in action!

done

Tada! We have overwritten the "modified" variable and changed the execution course to our wanting.