|
[x]
Posted via EE Mobile
|
||
Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again. |
||
| Question |
|
[x]
Attachment Details
|
||
|
[x]
The Solution Rating System
|
||
With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.
Your Input Matters If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support. Thank you! |
||
1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: |
Level 0: Candle (10 pts)
The function getbuf() is called within bufbomb by a function test() having the following C code:
1 void test()
2 {
3 int val;
4 volatile int local = 0xdeadbeef;
5 entry_check(3); /* Make sure entered this function properly */
6 val = getbuf();
7 /* Check for corrupted stack */
8 if (local != 0xdeadbeef) {
9 printf("Sabotaged!: the stack has been corrupted\n");
10 }
11 else if (val == cookie) {
12 printf("Boom!: getbuf returned 0x%x\n", val);
13 validate(3);
14 }
15 else {
16 printf("Dud: getbuf returned 0x%x\n", val);
17 }
18 }
When getbuf() executes its return statement (line 5 of getbuf()), the program ordinarily resumes execution within function test() (at line 8 of this function). Within the file bufbomb, there is a function smoke() having the following C code:
void smoke()
{
entry_check(0); /* Make sure entered this function properly */
printf("Smoke!: You called smoke()\n");
validate(0);
exit(0);
}
Your task is to get bufbomb to execute the code for smoke() when getbuf() executes its return statement, rather than returning to test(). You can do this by supplying an exploit string that overwrites the stored return pointer in the stack frame for getbuf() with the address of the first instruction in smoke(). Note that your exploit string may also corrupt other parts of the stack state, but this will not cause a problem, since smoke() causes the program to exit directly. Some Advice:
All the information you need to devise your exploit string for this level can be determined by examining a diassembled version of bufbomb.
Be careful about byte ordering.
ou might want to use GDB to step the program through the last few instructions of getbuf() to make sure it is doing the right thing.
The placement of buf within the stack frame for getbuf() depends on which version of gcc was used to compile bufbomb. You will need to pad the beginning of your exploit string with the proper number of bytes to overwrite the return pointer. The values of these bytes can be arbitrary.
Dump of assembler code for function test:
0x08048f60 <test+0>: push %ebp
0x08048f61 <test+1>: mov %esp,%ebp
0x08048f63 <test+3>: sub $0x18,%esp
0x08048f66 <test+6>: movl $0xdeadbeef,0xfffffffc(%ebp)
0x08048f6d <test+13>: movl $0x3,(%esp)
0x08048f74 <test+20>: call 0x8048920 <entry_check>
0x08048f79 <test+25>: call 0x8048f40 <getbuf>
0x08048f7e <test+30>: mov %eax,%edx
0x08048f80 <test+32>: mov 0xfffffffc(%ebp),%eax
0x08048f83 <test+35>: cmp $0xdeadbeef,%eax
0x08048f88 <test+40>: je 0x8048f98 <test+56>
0x08048f8a <test+42>: movl $0x8049780,(%esp)
0x08048f91 <test+49>: call 0x8048794 <puts@plt>
0x08048f96 <test+54>: leave
0x08048f97 <test+55>: ret
0x08048f98 <test+56>: cmp 0x804a1b0,%edx
0x08048f9e <test+62>: je 0x8048fb2 <test+82>
0x08048fa0 <test+64>: mov %edx,0x4(%esp)
0x08048fa4 <test+68>: movl $0x8049957,(%esp)
0x08048fab <test+75>: call 0x8048724 <printf@plt>
0x08048fb0 <test+80>: leave
0x08048fb1 <test+81>: ret
0x08048fb2 <test+82>: mov %edx,0x4(%esp)
0x08048fb6 <test+86>: movl $0x804993a,(%esp)
0x08048fbd <test+93>: call 0x8048724 <printf@plt>
0x08048fc2 <test+98>: movl $0x3,(%esp)
0x08048fc9 <test+105>: call 0x8048a60 <validate>
0x08048fce <test+110>: leave
0x08048fcf <test+111>: ret
End of assembler dump.
Dump of assembler code for function smoke:
0x08048d90 <smoke+0>: push %ebp
0x08048d91 <smoke+1>: mov %esp,%ebp
0x08048d93 <smoke+3>: sub $0x8,%esp
0x08048d96 <smoke+6>: movl $0x0,(%esp)
0x08048d9d <smoke+13>: call 0x8048920 <entry_check>
0x08048da2 <smoke+18>: movl $0x8049903,(%esp)
0x08048da9 <smoke+25>: call 0x8048794 <puts@plt>
0x08048dae <smoke+30>: movl $0x0,(%esp)
0x08048db5 <smoke+37>: call 0x8048a60 <validate>
0x08048dba <smoke+42>: movl $0x0,(%esp)
0x08048dc1 <smoke+49>: call 0x80487d4 <exit@plt>
0x08048dc6 <smoke+54>: lea 0x0(%esi),%esi
0x08048dc9 <smoke+57>: lea 0x0(%edi),%edi
End of assembler dump.
Dump of assembler code for function getbuf:
0x08048f40 <getbuf+0>: push %ebp
0x08048f41 <getbuf+1>: mov %esp,%ebp
0x08048f43 <getbuf+3>: sub $0x18,%esp
0x08048f46 <getbuf+6>: lea 0xfffffff4(%ebp),%eax
0x08048f49 <getbuf+9>: mov %eax,(%esp)
0x08048f4c <getbuf+12>: call 0x8048dd0 <Gets>
0x08048f51 <getbuf+17>: mov $0x1,%eax
0x08048f56 <getbuf+22>: leave
0x08048f57 <getbuf+23>: ret
0x08048f58 <getbuf+24>: nop
0x08048f59 <getbuf+25>: lea 0x0(%esi),%esi
End of assembler dump.
|
Advertisement
| Hall of Fame |
