Exploit Education Phoenix · stack-four (adapted)

Stack Lab

A 64-byte stack buffer, a saved frame pointer, a saved return address. gets() with no bounds check. Write past the buffer, past RBP, into the return address — when the function returns, execution jumps wherever you told it to.

Step 1 of 5
Benign input
64 bytes or fewer fit in buffer. Function returns normally.
SAFE saved rip = 0x0000555555555230
Memory x/10gx $rsp

        

      


      

        
gdb session

        

          

        

      

    


    

      

        Stack frame · gets() writes left → right · high addresses on the right
        $rsp = 0x7fffffffdc30
      

      

        

          

          buffer[64]
          64 B · gets() target
        

        

          

          saved RBP
          8 B
        

        

          

          saved return
          8 B · popped by ret
        

      

      

        buffer[64]
        saved RBP
        saved return
        overflowed
      

    


    

      

        
The vulnerable source stack-four.c

        


void complete_level(void) {
    printf("Congratulations, you've finished!\n");
    exit(0);
}

void start_level(void) {
    char buffer[64];
    gets(buffer);                  /* no bounds check */
}

int main(int argc, char **argv) {
    start_level();
    return 0;
}

        

      


      

        
Stack vs. heap overflow

        

          

            
StackHeap

            
              
Buffer lives onThe call stackThe glibc heap

              
Adjacent targetsSaved RBP, saved returnNext chunk's metadata + payload

              
Control-flow hijackReturn address on retFunction pointer / vtable

              
Modern mitigationStack canaryHeap cookies, PAC

              
ClassLinear OOB write (CWE-787)