Hello hackers! hope you are all doing well and good. Let us jump to stack3 of our protostar
As we can see that our required output is inside the win() function which is never called on our main function. So all we have to do is overflow the buffer space and call the win function. Before that let us draw a simple stack diagram for this program.
STACK-DIAGRAM:
Shuddup, don’t laugh at my diagram.
In the given program we can see that volatile int(*fp) gets pushed before the buffer. So what is this volatile(*fp). According to StackOverflow’s definition
volatileis to tell the compiler not to optimize the reference, so that every read/write does not use the value stored in register but does a real memory access.
Aha!. It tells us that it can do real memory access, which means it will access our win functions if we give it the win functions address. We dont even have to get all the way to eip/ ret address.
Now we find our win functions address using gdb. In gdb after keeping a break main and running it, we simply need to use the command:
p win
to find win functions address.
Now we can build our payload:
(python -c “print ‘A’*64 + ‘\x24\x84\x04\x08’”)|./stack3
And voila! Just like that we got what we wanted.
That is going to be it for stack3. More of this stack series is yet to be released. Until then take care and bye bye
