Protostar/Stack 3

If you get stuck, you can watch the solution and explanation here:

This video shows you how to take over control of a program with a buffer overflow

Stack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP)

Hints:
both gdb and objdump is your friend you determining where the win() function lies in memory.

This level is at /opt/protostar/bin/stack3

stack3.c

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  volatile int (*fp)();
  char buffer[64];

  fp = 0;

  gets(buffer);

  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
}

See also

This video introduces http://exploit-exercises.com, how to connect to the VM with ssh and explains what setuid binaries are.

We will write our first Buffer Overflow for the stack0 level of exploit-exercises.com.

This is a mirror. Copyright and original can be found here: exploit-exercises.com/protostar/stack3/