Skip to content

Latest commit

 

History

History
91 lines (62 loc) · 3.05 KB

stackzero.md

File metadata and controls

91 lines (62 loc) · 3.05 KB
description
07/17/23

0⃣ Stack Zero

This level introduces the concept that memory can be accessed outside of its allocated region, how the stack variables are laid out, and that modifying outside of the allocated memory can modify program execution.

Source Code:

{% embed url="http://exploit.education/phoenix/stack-zero/" %}

/*
 * phoenix/stack-zero, by https://exploit.education
 *
 * The aim is to change the contents of the changeme variable.
 *
 * Scientists have recently discovered a previously unknown species of
 * kangaroos, approximately in the middle of Western Australia. These
 * kangaroos are remarkable, as their insanely powerful hind legs give them
 * the ability to jump higher than a one story house (which is approximately
 * 15 feet, or 4.5 metres), simply because houses can't can't jump.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

char *gets(char *);

int main(int argc, char **argv) {
  struct {
    char buffer[64];
    volatile int changeme;
  } locals;

  printf("%s\n", BANNER);

  locals.changeme = 0;
  gets(locals.buffer);

  if (locals.changeme != 0) {
    puts("Well done, the 'changeme' variable has been changed!");
  } else {
    puts(
        "Uh oh, 'changeme' has not yet been changed. Would you like to try "
        "again?");
  }

  exit(0);
}

Since gets(local.buffer) is accepting user input, it stores it into a pointed string. In this case, buffer. Once this

Since the buffer size is statically allocated to [64] bytes, this makes overwriting the variable that is being stored on the stack, possible if we try to store too many bytes within the buffer.

{% embed url="https://man7.org/linux/man-pages/man3/gets.3.html" %}

Exploitation

Let's simply execute the program and see what happens:

Let's send a bunch of X's through stdin to see if we can overwrite the variable that is being placed on the stack:

Great, we can see that the variable being stored on the stack has been overwritten with out X's!

However, how can we do this in a more accurate manner?

  • We can use Python!
python3 -c 'print("X"*65)' | ./stack-zero

Just to ensure that this theory and solution is correct, let's send a string of 64 X's to the buffer to fill the statically allocated buffer to its max:

Just as expected, it does not work because the buffer is still allocated for 64 bytes of data to be stored within it. Anything over, and the variable will be overwritten.