Protostar: Unravel stack0 with Radare2

After a few months without using radare2 it’s now time to get back to the write ups. During this time, and as you can see in my previous posts, I’ve been acquiring knowledge in other IT Security areas. I’ll now return with Protostar challenges and Radare2, starting with stack0.

Looking at the code for the stack0 challenge, we can realize it’s not that complicated. The program collects input from the user and after that, checks if the modified variable, set to 0 in the beginning of the program has changed. But wait… how can it be changed if there isn’t a single line of code that changes this variable??? Let’s see if the assembly has the answer.

We basically have the main function. Let’s disassemble it and analyze the code.

Simple! We have two local variables, local_5ch and local_1ch. The first one is the modified variable, which contains 0. The other one will hold our input. We can also identify the gets function call, which will collect our input and the two strings present in the C code. The jump instruction at 0x08048417 address will decide the string to print, based on the result of the test operator.

Now let’s retrieve the two variables from the stack.

See? The modified variable is at a higher address than our input and remember, the stack grows from higher addresses to lower addresses. Now, the distance between these two addresses is 0x40 bytes (or 64 in decimal).

Because there’s no limitation on our input, what happens if we write more than 64 bytes of data?

Overflow, that’s what happens. In this case a stack overflow, a very known vulnerability. In a stack overflow we write where we’re not supposed to and in stack0 we overwrite the modified variable.

If you have trouble understanding this by just reading, I advise you to draw the stack like I did in previous posts. Remember, doing is better than watching/reading…