Exploit Education Phoenix : Stack Two
Table of Contents
Exploit Education Phoenix - This article is part of a series.
Overview of the challenge #
The aim of the Phoenix challenges is to analyse the source code of an executable in order to find and exploit a vulnerability. This first series of challenges concerns the stack.
The first thing to do is to analyse the executable’s source code. Looking for a vulnerability to exploit.
int main(int argc, char **argv) {
struct {
char buffer[64];
volatile int changeme;
} locals;
char *ptr;
printf("%s\n", BANNER);
ptr = getenv("ExploitEducation");
if (ptr == NULL) {
errx(1, "please set the ExploitEducation environment variable");
}
locals.changeme = 0;
strcpy(locals.buffer, ptr);
if (locals.changeme == 0x0d0a090a) {
puts("Well done, you have successfully set changeme to the correct value");
} else {
printf("Almost! changeme is currently 0x%08x, we want 0x0d0a090a\n", locals.changeme);
}
exit(0);
}
The first thing we notice is that, in order to pass the challenge, we need to change the value of the changeme variable so that it is equal to the value 0x0d0a090a. This variable is part of a structure made up of a 64-character buffer and the changeme variable. As the 2 variables are part of the same structure and the changeme variable is declared with the volatile keyword, which prevents compiler optimisation, we can imagine that their memory locations follow each other and therefore that the changeme variable is the memory location that follows the buffer.
We also notice the use of the getenv function. To find out how this function works, we can use the man getenv command to get the function’s documentation. The getenv function searches the environment list to find the environment variable name, and returns a pointer to the corresponding value string.
Finally, we notice is the use of the strcpy function. When we look at the documentation for the function using the command: man strcpy, it explains how the function works. The strcpy function takes 2 parameters, the address of the string you wish to copy and the destination address of the buffer. Each character is written to the buffer until the function detects a \0. Note that the \0 character is also copied.
The documentation provides us with new information: this function must be used very carefully, as it is sensitive to buffer overflow attacks. The function does not know how many characters it will write to the buffer and cannot be used to limit the number of characters copied, unless its strncpy variant is used. If the number of input characters exceeds the size of the buffer, the strcpy function will continue to write to the next memory location until it finds a \0 character.
Now that we’ve identified the sensitive parts of the source code, all we have to do is abuse the vulnerability to succeed in the challenge.
Exploiting the vulnerability #
To do this, we need to exploit a buffer overflow vulnerability, we need to enter a string that is longer than the buffer size. We’ll fill the buffer with 64 characters and then specific bytes so that the changeme variable takes the value 0x0d0a090a. However, we need to pass the string to the program via the ExploitEducation environment variable.
To make it easier to create the string, we can use Python.
$ export ExploitEducation=$(python -c 'print "A"*64 + "\x0A\x09\x0A\x0D"') && ./stack-two
With this command, we create a string of 64 'A' characters which fills the buffer and \x0A\x09\x0A\x0D the value of the changeme variable.
Finally, we can see that the changeme variable has been modified with the right value, so we can complete the challenge.