HTTP/2 301 server: GitHub.com content-type: text/html location: https://exploit.education/phoenix/stack-four/ access-control-allow-origin: * expires: Fri, 23 Jan 2026 19:01:57 GMT cache-control: max-age=600 x-proxy-cache: MISS x-github-request-id: 9A4A:1BC9E0:1655C4:19509A:6973C34D accept-ranges: bytes age: 0 date: Fri, 23 Jan 2026 18:51:58 GMT via: 1.1 varnish x-served-by: cache-bom-vanm7210048-BOM x-cache: MISS x-cache-hits: 0 x-timer: S1769194318.785340,VS0,VE227 vary: Accept-Encoding x-fastly-request-id: 2869c56240aec769b646f11a5152fdcdc3463ec8 content-length: 162 HTTP/2 200 server: GitHub.com content-type: text/html; charset=utf-8 last-modified: Fri, 18 Jan 2019 01:35:35 GMT access-control-allow-origin: * etag: W/"5c412d67-47cd" expires: Fri, 23 Jan 2026 19:01:58 GMT cache-control: max-age=600 content-encoding: gzip x-proxy-cache: MISS x-github-request-id: E336:219F5F:164775:19432B:6973C34D accept-ranges: bytes age: 0 date: Fri, 23 Jan 2026 18:51:58 GMT via: 1.1 varnish x-served-by: cache-bom-vanm7210048-BOM x-cache: MISS x-cache-hits: 0 x-timer: S1769194318.025910,VS0,VE242 vary: Accept-Encoding x-fastly-request-id: df42ba8fb5d181540bdf2ad75f33443aee5dce00 content-length: 3649

Exploit Education > Phoenix > Stack Four

Stack Four

Stack Four takes a look at what can happen when you can overwrite the saved instruction pointer (standard buffer overflow).

Hints

• The saved instruction pointer is not necessarily directly after the end of variable allocations – things like compiler padding can increase the size. Did you know that some architectures may not save the return address on the stack in all cases?
• GDB supports “run < my_file” to direct input from my_file into the program.

/*
 * phoenix/stack-four, by https://exploit.education
 *
 * The aim is to execute the function complete_level by modifying the
 * saved return address, and pointing it to the complete_level() function.
 *
 * Why were the apple and orange all alone? Because the bananna split.
 */
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"
char *gets(char *);
void complete_level() {
  printf("Congratulations, you've finished " LEVELNAME " :-) Well done!\n");
  exit(0);
}
void start_level() {
  char buffer[64];
  void *ret;
  gets(buffer);
  ret = __builtin_return_address(0);
  printf("and will be returning to %p\n", ret);
}
int main(int argc, char **argv) {
  printf("%s\n", BANNER);
  start_level();
}