2017. 12. 5. 19:20ㆍSystemHacking/pwnable.kr
소스코드
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | #include <stdio.h> #include <string.h> #include <stdlib.h> void func(int key){ char overflowme[32]; printf("overflow me : "); gets(overflowme); // smash me! if(key == 0xcafebabe){ system("/bin/sh"); } else{ printf("Nah..\n"); } } int main(int argc, char* argv[]){ func(0xdeadbeef); return 0; } | cs |
가상서버에서 #wget http://pwnable.kr/bin/bof 명령어를 이용해서 bof 파일을 다운받은 후 디버깅 해보자
func함수
0x0000062c <func+0>: push ebp
0x0000062d <func+1>: mov ebp,esp
0x0000062f <func+3>: sub esp,0x48 72byte 지역변수 공간 할당
0x0000063d <func+17>: mov DWORD PTR [esp],0x78c
0x00000644 <func+24>: call 0x645 <func+25> printf("overflow me : ")
0x00000649 <func+29>: lea eax,[ebp-44]
0x0000064c <func+32>: mov DWORD PTR [esp],eax
0x0000064f <func+35>: call 0x650 <func+36> gets(overflowme)
0x00000654 <func+40>: cmp DWORD PTR [ebp+8],0xcafebabe if ( key == 0xcafebabe )
0x0000065b <func+47>: jne 0x66b <func+63>
0x0000065d <func+49>: mov DWORD PTR [esp],0x79b
0x00000664 <func+56>: call 0x665 <func+57>
0x00000669 <func+61>: jmp 0x677 <func+75>
0x0000066b <func+63>: mov DWORD PTR [esp],0x7a3
0x00000672 <func+70>: call 0x673 <func+71>
0x00000677 <func+75>: mov eax,DWORD PTR [ebp-12]
0x0000067a <func+78>: xor eax,gs:0x14
0x00000681 <func+85>: je 0x688 <func+92>
0x00000683 <func+87>: call 0x684 <func+88>
메모리 구조
overflowme 32byte ebp-44
dummy 8byte
saved ebp ebp
saved eip ebp+4
argv ebp+8 함수의 첫번째 인자 <-- 0xcafebabe 로 변조
'SystemHacking > pwnable.kr' 카테고리의 다른 글
| [1] fd (0) | 2017.12.05 |
|---|