Skip to content

Latest commit

 

History

History
117 lines (85 loc) · 2.46 KB

stacksix.md

File metadata and controls

117 lines (85 loc) · 2.46 KB
description
11/14/2023

6⃣ StackSix

Where does Stack Six go wrong, and what can you do with it?

Depending on the architecture you’re doing this on, you may need to explore more and be creative with how to solve this level.

The macro GREET is architecture dependent.

Source Code

/*
 * phoenix/stack-six, by https://exploit.education
 *
 * Can you execve("/bin/sh", ...) ?
 *
 * Why do fungi have to pay double bus fares? Because they take up too
 * mushroom.
 */

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define LEVELNAME "Stack Six"
#define GREET "Welcome, I am pleased to meet you"
#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

char *what = GREET;

char *greet(char *who) {
  char buffer[128];
  int maxSize;

  maxSize = strlen(who);
  if (maxSize > (sizeof(buffer) - /* ensure null termination */ 1)) {
    maxSize = sizeof(buffer) - 1;
  }

  strcpy(buffer, what);
  strncpy(buffer + strlen(buffer), who, maxSize);

  return strdup(buffer);
}

int main(int argc, char **argv) {
  char *ptr;
  printf("%s\n", BANNER);

#ifdef NEWARCH
  if (argv[1]) {
    what = argv[1];
  }
#endif

  ptr = getenv("ExploitEducation");
  if (NULL == ptr) {
    // This style of comparison prevents issues where you may accidentally
    // type if(ptr = NULL) {}..

    errx(1, "Please specify an environment variable called ExploitEducation");
  }

  printf("%s\n", greet(ptr));
  return 0;
}

The objective is not quite clear, so let's just find a vulnerability and gain a shell.

Compilation

gcc -g stack-six.c -o stack-six -fno-stack-potector -z execstack

Vulnerability

Talk about strncmp() here.

We can set an environment variable called $ExploitEducation.

Since we are using an environment variable that will be called within the program, it is likely that we will need to append a python command to our environment variable:

{% code overflow="wrap" %}

export ExploitEducation=$(python3 -c "import sys;sys.stdout.buffer.write(b'A'*108)")

{% endcode %}

Debugging

Set environment variable to run program:

{% code overflow="wrap" %}

export ExploitEducation="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

{% endcode %}

Analyze in debugger:

Since strcpy() is a vulnerable function, let's break here and see what we can see with our newly appended environment variable:

b strcpy

r