Write – Porostar: Stack0

Hi everyone, this is my first post about Porostar, this part I will write about stack, starting from stack0. This is my first post, if there are any mistakes, please comment below. Basically, my writeups will explain in detail how each section works. The download and installation link you can see here: https://exploit.education/protostar/stack-zero/ After installing the virtual machine, you can access it directly from the virtual machine, or access ssh with the username , passwd is user – user. Type bash to access command line mode, the exercise files are stored in /opt/porostar/bin.  Next use gdb to debug stack0  First I did some basic settings, changed the flavor to intel because I’m used to this mode, you can keep it. Setting break in *main, executing disassembly main results in the following:  stack, the stack mechanism is LIFO (last in first out), characterized by two operations, push and pop. ESP and EBP are 2 registers that support working on the stack. ESP (stack pointer) is a stack pointer, pointing to the top of the stack, the value of esp will change every time the stack does a push or pop. EBP (base pointer) is the base pointer, whose value is constant in a given function, the program treats it as a placeholder to keep track of local variables and parameters. In the first 2 lines, do push ebp and stack, then store ebp = esp. To see more details, let’s do a hook-stop installation. In simple terms, hook-stop is a function that will execute every time a break is encountered.  info registers : print information of x/32wx registers: print out 32 values ​​stored in the stack from $ esp x/2i: print the next 2 lines of command after break See more about using x command: https://visualgdb.com/gdbreference/commands/x After installing hook-stop, I run the program program, the program will perform a break at *main, then can use si to run step and watch the change of the register. We see in the main function there are other function calls, gets and puts. The gets function will get data from the keyboard, but this function can cause a buffer overflow error. Next 5 lines to allocate memory for array buffer[64] and perform variable assignment modified = 0; The modified variable is stored at esp + 0x5c.  Set break at gets. Then run c (use to continue running the program).  The location highlighted in green in the image is modified. Eax now has the address 0xbffff75c, the position of the modified variable is 0xbffff79c. The gets function will perform data retrieval starting from the carry address in eax, if we calculate it, from 0xbffff79c to 0xbffff75c will be 64bits, corresponding to 64bytes (Each address bit contains 1 data byte). Put break after gets (break *0x08048411), execute gets with 64 A characters, we get the following result:  0x41 is the value of ‘A’ in the ascii table, it can be seen that if we add 1 more character, the location of the modified variable will be changed, run the program again, add 65 characters A , and here is the result:  The modified variable has been changed. Run the program, we get the desired result:  In addition, in the last 2 lines of the main function there is a command leave has a leave effect: Set esp = ebp and pop ebp from stack, that’s why we used ebp to save esp in the first place. Similarly you can try with stack1 and stack2. Thank you for reading my article, if you have any ideas, please leave a comment below so I can learn from them.

Source : Viblo