Protostar Stack 0 Challenge: How to find out the buffer size from assembly code?

Question

Protostar Stack 0 Challenge: How to find out the buffer size from assembly code?

I've been trying protostar stack0 challenge and wondering how to find out the buffer size if we don't have the source code.

The original site (http://exploit-exercises.com/protostar) is no longer available, however you can still download the copy of ISO at https://download.vulnhub.com/exploitexercises/exploit-exercises-protostar-2.iso

Here is the assembly code

(gdb) disassemble main
Dump of assembler code for function main:
0x080483f4 <main+0>:    push   ebp
0x080483f5 <main+1>:    mov    ebp,esp
0x080483f7 <main+3>:    and    esp,0xfffffff0
0x080483fa <main+6>:    sub    esp,0x60
0x080483fd <main+9>:    mov    DWORD PTR [esp+0x5c],0x0
0x08048405 <main+17>:   lea    eax,[esp+0x1c]
0x08048409 <main+21>:   mov    DWORD PTR [esp],eax
0x0804840c <main+24>:   call   0x804830c <gets@plt>
0x08048411 <main+29>:   mov    eax,DWORD PTR [esp+0x5c]
0x08048415 <main+33>:   test   eax,eax
0x08048417 <main+35>:   je     0x8048427 <main+51>
0x08048419 <main+37>:   mov    DWORD PTR [esp],0x8048500
0x08048420 <main+44>:   call   0x804832c <puts@plt>
0x08048425 <main+49>:   jmp    0x8048433 <main+63>
0x08048427 <main+51>:   mov    DWORD PTR [esp],0x8048529
0x0804842e <main+58>:   call   0x804832c <puts@plt>
0x08048433 <main+63>:   leave  
0x08048434 <main+64>:   ret    
End of assembler dump.
(gdb)

Based on the code, I can see the gets function (to read a line from stdin).

0x0804840c <main+24>:   call   0x804830c <gets@plt>
0x08048411 <main+29>:   mov    eax,DWORD PTR [esp+0x5c]

Therefore, I've set breakpoints before and after that line to see what it can do.

(gdb) info breakpoints 
No breakpoints or watchpoints.
(gdb) break *0x0804840c
Breakpoint 3 at 0x804840c: file stack0/stack0.c, line 11.
(gdb) break *0x08048411
Breakpoint 4 at 0x8048411: file stack0/stack0.c, line 13.
(gdb)

It's time to test gets function with random data.

user@protostar:~$ python -c 'print "A"*60'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
user@protostar:~$

In first scenario, I'll supply 60 * A character. I use python code as above to generate 60 A characters.

(gdb) r
Starting program: /opt/protostar/bin/stack0 

Breakpoint 3, 0x0804840c in main (argc=1, argv=0xbffff864) at stack0/stack0.c:11
11      in stack0/stack0.c
(gdb) c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 4, main (argc=1, argv=0xbffff864) at stack0/stack0.c:13
13      in stack0/stack0.c
(gdb) i r $eip $esp $ebp
eip            0x8048411        0x8048411 <main+29>
esp            0xbffff750       0xbffff750
ebp            0xbffff7b8       0xbffff7b8
(gdb) x/40 $esp
0xbffff750:     0xbffff76c      0x00000001      0xb7fff8f8      0xb7f0186e
0xbffff760:     0xb7fd7ff4      0xb7ec6165      0xbffff778      0x41414141
0xbffff770:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff780:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff790:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff7a0:     0x41414141      0x41414141      0x08048400      0x00000000
0xbffff7b0:     0x08048450      0x00000000      0xbffff838      0xb7eadc76
0xbffff7c0:     0x00000001      0xbffff864      0xbffff86c      0xb7fe1848
0xbffff7d0:     0xbffff820      0xffffffff      0xb7ffeff4      0x0804824b
0xbffff7e0:     0x00000001      0xbffff820      0xb7ff0626      0xb7fffab0
(gdb) c
Continuing.
Try again?

Program exited with code 013.
(gdb)

I know I'll get the answer if I put more than 64 A as I've seen the source code.

(gdb) r
Starting program: /opt/protostar/bin/stack0 

Breakpoint 3, 0x0804840c in main (argc=1, argv=0xbffff864) at stack0/stack0.c:11
11      in stack0/stack0.c
(gdb) c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 4, main (argc=1, argv=0xbffff864) at stack0/stack0.c:13
13      in stack0/stack0.c
(gdb) i r $eip $esp $ebp
eip            0x8048411        0x8048411 <main+29>
esp            0xbffff750       0xbffff750
ebp            0xbffff7b8       0xbffff7b8
(gdb) x/40 $esp
0xbffff750:     0xbffff76c      0x00000001      0xb7fff8f8      0xb7f0186e
0xbffff760:     0xb7fd7ff4      0xb7ec6165      0xbffff778      0x41414141
0xbffff770:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff780:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff790:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff7a0:     0x41414141      0x41414141      0x41414141      0x00000041
0xbffff7b0:     0x08048450      0x00000000      0xbffff838      0xb7eadc76
0xbffff7c0:     0x00000001      0xbffff864      0xbffff86c      0xb7fe1848
0xbffff7d0:     0xbffff820      0xffffffff      0xb7ffeff4      0x0804824b
0xbffff7e0:     0x00000001      0xbffff820      0xb7ff0626      0xb7fffab0
(gdb) c
Continuing.
you have changed the 'modified' variable

Program exited with code 051.
(gdb)

The questions is what if I don't have the source code?

How to find out the exact buffer size?

c

assembly

asked on Stack Overflow Oct 22, 2018 by

Sabrina

1 Answer

Im a newbie in RE but I'll try my best to answer it

0x080483fd <main+9>:    mov    DWORD PTR [esp+0x5c],0x0
0x08048405 <main+17>:   lea    eax,[esp+0x1c]

on main+9, it stores 0x0 on [esp+0x5c] and any input will be stored on buffer starting from [esp+0x1c] until [esp+0x5c]. So 0x5c-0x1c=64(decimal)

answered on Stack Overflow Sep 16, 2020 by

ghost99

User contributions licensed under CC BY-SA 3.0