Protostar/Stack 3

If you get stuck, you can watch the solution and explanation here:

This video shows you how to take over control of a program with a buffer overflow

Stack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP)

both gdb and objdump is your friend you determining where the win() function lies in memory.

This level is at /opt/protostar/bin/stack3


#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
  printf("code flow successfully changed\n");

int main(int argc, char **argv)
  volatile int (*fp)();
  char buffer[64];

  fp = 0;


  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);

See also

This video introduces, how to connect to the VM with ssh and explains what setuid binaries are.

We will write our first Buffer Overflow for the stack0 level of

This is a mirror. Copyright and original can be found here: