Exploit Education Phoenix : Stack One
Table of Contents
Exploit Education Phoenix - This article is part of a series.
Overview of the challenge #
The aim of the Phoenix challenges is to analyse the source code of an executable in order to find and exploit a vulnerability. This first series of challenges concerns the stack.
The first thing to do is to analyse the executable’s source code. Looking for a vulnerability to exploit.
int main(int argc, char **argv) {
struct {
char buffer[64];
volatile int changeme;
} locals;
printf("%s\n", BANNER);
if (argc < 2) {
errx(1, "specify an argument, to be copied into the \"buffer\"");
}
locals.changeme = 0;
strcpy(locals.buffer, argv[1]);
if (locals.changeme == 0x496c5962) {
puts("Well done, you have successfully set changeme to the correct value");
} else {
printf("Getting closer! changeme is currently 0x%08x, we want 0x496c5962\n", locals.changeme);
}
exit(0);
}
The first thing we notice is that, in order to pass the challenge, we need to change the value of the changeme variable so that it is equal to the value 0x496c5962. This variable is part of a structure made up of a 64-character buffer and the changeme variable. As the 2 variables are part of the same structure and the changeme variable is declared with the volatile keyword, which prevents compiler optimisation, we can imagine that their memory locations follow each other and therefore that the changeme variable is the memory location that follows the buffer.
The next thing we notice is the use of the strcpy function. When we look at the documentation for the function using the command: man strcpy, it explains how the function works. The strcpy function takes 2 parameters, the address of the string you wish to copy and the destination address of the buffer. Each character is written to the buffer until the function detects a \0. Note that the \0 character is also copied.
The documentation provides us with new information: this function must be used very carefully, as it is sensitive to buffer overflow attacks. The function does not know how many characters it will write to the buffer and cannot be used to limit the number of characters copied, unless its strncpy variant is used. If the number of input characters exceeds the size of the buffer, the strcpy function will continue to write to the next memory location until it finds a \0 character.
Now that we’ve identified the sensitive parts of the source code, all we have to do is abuse the vulnerability to succeed in the challenge.
Exploiting the vulnerability #
To do this, we need to exploit a buffer overflow vulnerability, we need to enter a string that is longer than the buffer size. We’ll fill the buffer with 64 characters and then specific bytes so that the changeme variable takes the value 0x496c5962.
To make it easier to create the string, we can use Python.
$ ./stack-one $(python -c 'print "A"*64 + "\x62\x59\x6C\x49"')
With this command, we create a string of 64 'A' characters which fills the buffer and \x62\x59\x6C\x49 the value of the changeme variable.
Finally, we can see that the changeme variable has been modified with the right value, so we can complete the challenge.