Protostar/Stack 7

Stack6 introduces return to .text to gain code execution.

The metasploit tool "msfelfscan" can make searching for suitable instructions very easy, otherwise looking through objdump output will suffice.

This level is at /opt/protostar/bin/stack7

stack7.c

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

char *getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xb0000000) == 0xb0000000) {
      printf("bzzzt (%p)
", ret);
      _exit(1);
  }

  printf("got path %s
", buffer);
  return strdup(buffer);
}

int main(int argc, char **argv)
{

  getpath();

}

See also

Solving stack6 from exploit-exercises.com with the re2libc technique.

This video introduces http://exploit-exercises.com, how to connect to the VM with ssh and explains what setuid binaries are.

We will write our first Buffer Overflow for the stack0 level of exploit-exercises.com.

This video shows you how to take over control of a program with a buffer overflow

We write our first real exploit to get root access. Solving stack5 from exploit-exercises.com with a simple Buffer Overflow and shellcode.

This is a mirror. Copyright and original can be found here: exploit-exercises.com/protostar/stack7/