Phoenix stack 1
/*
* phoenix/stack-one, by https://exploit.education
*
* The aim is to change the contents of the changeme variable to 0x496c5962
*
* Did you hear about the kid napping at the local school?
* It's okay, they woke up.
*
*/
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BANNER \
"Welcome to " LEVELNAME ", brought to you by https://exploit.education"
int main(int argc, char **argv) {
struct {
char buffer[64];
volatile int changeme;
} locals;
printf("%s\n", BANNER);
if (argc < 2) {
errx(1, "specify an argument, to be copied into the \"buffer\"");
}
locals.changeme = 0;
strcpy(locals.buffer, argv[1]);
if (locals.changeme == 0x496c5962) {
puts("Well done, you have successfully set changeme to the correct value");
} else {
printf("Getting closer! changeme is currently 0x%08x, we want 0x496c5962\n",
locals.changeme);
}
exit(0);
}
we have pretty much the same code as stack 0 ,what’s been added is:
- Here we have to enter the buffer as an argument so that it would be assigned to
bufferwith the help of the function strcpy. - Note that strcpy is vulnerable because the source size could be more than destination size.
- the if condition is checking whether the integer
changemeis equal to0x496c5962
So our task here is not only to change the variable changeme to some random value but to specify the value to be 0x496c5962
So we overwrite the buffer with a string which must have 0x496c5962 at the end so that it will take the value of changeme .
Imagine it like that:
1-changeme is still 0.
2- We added 4 charcters “B” and let’s see if BBBB is assigned to changeme
So basically BBBB in hexadecimal is 42424242
Nice!!! so all we have to do is to replace BBBB with 0x496c5962
you got to reverse 0x496c5962 to be \x62\x59\x6c\x49 with this weird syntax
Congrats!!!
