Exploiting Protostar Stack4
You can check previous problems here :
Problem source code
We will work in this problem as we do not have the C source code
First we want to know more info about the binary
As you can clearly see, our binary is a 32bit ELF file, not stripped, the file isn’t protected with canaries , pic, nx or relro.
Let’s run the app and see it working
Let’s have a look on what’s happening inside the app
We will start the app inside Radare2 and have a look in Visual Mode to try understanding how it’s working
iE to get the address of win function because we will need it later in our exploit.
So our main Goal is to override
This how the function looks like in Visual Mode
Now we’ll use a tool in radare’s framework called
ragg2, which allows us to generate a cyclic pattern called De Bruijn Sequence and check the exact offset where our payload overrides the buffer.
Now let’s create a new payload with the right value of
And we did it ;)