Protostar stack3
About
Stack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP)
Hints:
- both gdb and objdump is your friend you determining where the win() function lies in memory.
This level is at /opt/protostar/bin/stack3
Source code
1#include <stdlib.h> 2#include <unistd.h> 3#include <stdio.h> 4#include <string.h> 5 6void win() 7{ 8 printf("code flow successfully changed\n"); 9} 10 11int main(int argc, char **argv) 12{ 13 volatile int (*fp)(); 14 char buffer[64]; 15 16 fp = 0; 17 18 gets(buffer); 19 20 if(fp) { 21 printf("calling function pointer, jumping to 0x%08x\n", fp); 22 fp(); 23 } 24}