Pheonix stack-three write-up


this level is a bit advanced from the previous level because here we introduce the concept of redirecting code execution to another function by overwriting the EIP(32-bit instruction pointer register).In our case we will redirect code excution to complete_level function.


As always we start by analyzing our code carefully and check out the vulnerable function again here it’s the gets function which copies undetermined amount of bytes so we know from this that our attack vector will be overflowing the stack and to overwrite the address of EIP by putting the address of the complete_level function, there are three steps we will follow to solve this level:

  1. find the difference between the start of the buffer and the function pointer fp
  2. get the address of complete_level function
  3. craft our exploit 

One resource that I found very useful was a gdb cheat sheet I found first we will disassemble the programme and this would be our result.

so first for step :

    we got out start buffer address by issuing this command in gdb. 

then we want to get the address of the function pointer fp

if we take a look at the disassembler 

in this line    0x00000000004006ce <+25>:    mov    QWORD PTR [rbp-0x10],0x0 we can get the address of the address of the function pointer fp by issuing this command in gdb  x/x $rbp-0x10 so the result is 0x7fffffffe640 now we subtract the two addresses 

0x7fffffffe640 – 0x7fffffffe600 = 0x40 base 16 = 64 base 10 

second step: 

    we will learn now about a nice command called objdump we will use it to get the address of the complete function by typing objdump -t ./stack-three | grep  complete_level 

third step: 

    now our exploit is ready to be crafted our stack looks something like this 

so our exploite is 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s