Exploit Education Phoenix : Stack Zero
Table of Contents
Exploit Education Phoenix - This article is part of a series.
Overview of the challenge #
The aim of the Phoenix challenges is to analyse the source code of an executable in order to find and exploit a vulnerability. This first series of challenges concerns the stack.
The first thing to do is to analyse the executable’s source code. Looking for a vulnerability to exploit.
char *gets(char *);
int main(int argc, char **argv) {
struct {
char buffer[64];
volatile int changeme;
} locals;
printf("%s\n", BANNER);
locals.changeme = 0;
gets(locals.buffer);
if (locals.changeme != 0) {
puts("Well done, the 'changeme' variable has been changed!");
} else {
puts("Uh oh, 'changeme' has not yet been changed. Would you like to try again?");
}
exit(0);
}
The first thing we notice is that to succeed in the challenge we need to change the value of the changeme
variable. This variable is part of a structure made up of a 64-character buffer and the changeme
variable. Since the 2 variables are part of the same structure and the changeme
variable is declared with the volatile
keyword, which prevents compiler optimisation, we can imagine that their memory locations follow each other and therefore that the changeme
variable is the memory location that follows the buffer.
The next thing we notice is the use of the gets
function. When we look at the documentation for the function using the command: man gets
, it explains how the function works. The gets
function retrieves a string of characters from the standard input (stdin
), each character is written to a buffer until the function detects an EOF
or a line feed. Finally, when one of these characters is detected, it is replaced by a \0
to end the string.
The documentation provides us with new information: this function should no longer be used, as it is sensitive to buffer overflow attacks. The function does not know how many characters it will write to the buffer and cannot be used to limit the number of characters copied. If the number of input characters is greater than the size of the buffer, the gets
function will continue to write to the next memory location.
Now that we’ve identified the sensitive parts of the source code, all we have to do is abuse the vulnerability to succeed in the challenge.
Exploiting the vulnerability #
To do this, we need to exploit a buffer overflow vulnerability, we need to enter a string that is longer than the size of the buffer, in this case we’ll add 1 extra character.
To make it easier to create the string, we can use Python.
$ python -c "print 'A'*65" | ./stack-zero
With this command we create a string of characters made up of 65 'A'
and then we redirect this string of characters to the program.
Finally, we can see that the changeme
variable has been modified, so we can complete the challenge.