Protostar/Stack 7

Stack6 introduces return to .text to gain code execution.

The metasploit tool "msfelfscan" can make searching for suitable instructions very easy, otherwise looking through objdump output will suffice.

This level is at /opt/protostar/bin/stack7


#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

char *getpath()
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);


  ret = __builtin_return_address(0);

  if((ret & 0xb0000000) == 0xb0000000) {
      printf("bzzzt (%p)
", ret);

  printf("got path %s
", buffer);
  return strdup(buffer);

int main(int argc, char **argv)



See also

Solving stack6 from with the re2libc technique.

This video introduces, how to connect to the VM with ssh and explains what setuid binaries are.

We will write our first Buffer Overflow for the stack0 level of

This video shows you how to take over control of a program with a buffer overflow

We write our first real exploit to get root access. Solving stack5 from with a simple Buffer Overflow and shellcode.

This is a mirror. Copyright and original can be found here: