[level4@ftz level4]$ gdb -q autodig
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x08048430 <main+0>: push ebp
0x08048431 <main+1>: mov ebp,esp
0x08048433 <main+3>: sub esp,0x78
0x08048436 <main+6>: and esp,0xfffffff0
0x08048439 <main+9>: mov eax,0x0
0x0804843e <main+14>: sub esp,eax
0x08048440 <main+16>: cmp DWORD PTR [ebp+8],0x2
0x08048444 <main+20>: je 0x8048475 <main+69>
0x08048446 <main+22>: sub esp,0xc
0x08048449 <main+25>: push 0x8048588
0x0804844e <main+30>: call 0x8048340 <printf>
0x08048453 <main+35>: add esp,0x10
0x08048456 <main+38>: sub esp,0x8
0x08048459 <main+41>: mov eax,DWORD PTR [ebp+12]
0x0804845c <main+44>: push DWORD PTR [eax]
0x0804845e <main+46>: push 0x80485a1
0x08048463 <main+51>: call 0x8048340 <printf>
0x08048468 <main+56>: add esp,0x10
0x0804846b <main+59>: sub esp,0xc
0x0804846e <main+62>: push 0x0
0x08048470 <main+64>: call 0x8048360 <exit>
0x08048475 <main+69>: sub esp,0x8
0x08048478 <main+72>: push 0x80485b2
0x0804847d <main+77>: lea eax,[ebp-120]
0x08048480 <main+80>: push eax
0x08048481 <main+81>: call 0x8048370 <strcpy>
0x08048486 <main+86>: add esp,0x10
0x08048489 <main+89>: sub esp,0x8
0x0804848c <main+92>: mov eax,DWORD PTR [ebp+12]
0x0804848f <main+95>: add eax,0x4
0x08048492 <main+98>: push DWORD PTR [eax]
0x08048494 <main+100>: lea eax,[ebp-120]
0x08048497 <main+103>: push eax
---Type <return> to continue, or q <return> to quit---
0x08048498 <main+104>: call 0x8048330 <strcat>
0x0804849d <main+109>: add esp,0x10
0x080484a0 <main+112>: sub esp,0x8
0x080484a3 <main+115>: push 0x80485b8
0x080484a8 <main+120>: lea eax,[ebp-120]
0x080484ab <main+123>: push eax
0x080484ac <main+124>: call 0x8048330 <strcat>
0x080484b1 <main+129>: add esp,0x10
0x080484b4 <main+132>: sub esp,0x8
0x080484b7 <main+135>: push 0xbbc
0x080484bc <main+140>: push 0xbbc
0x080484c1 <main+145>: call 0x8048350 <setreuid>
0x080484c6 <main+150>: add esp,0x10
0x080484c9 <main+153>: sub esp,0xc
0x080484cc <main+156>: lea eax,[ebp-120]
0x080484cf <main+159>: push eax
0x080484d0 <main+160>: call 0x8048310 <system>
0x080484d5 <main+165>: add esp,0x10
0x080484d8 <main+168>: leave
0x080484d9 <main+169>: ret
0x080484da <main+170>: nop
0x080484db <main+171>: nop
End of assembler dump.
(gdb) b *0x0804849d
Breakpoint 1 at 0x804849d
(gdb) r perl -e 'print "A"x119'
Starting program: /bin/autodig perl -e 'print "A"x119'
Breakpoint 1, 0x0804849d in main ()
(gdb) x/100wx $esp
0xbfffdf80: 0xbfffdf90 0xbffffbd2 0x4200dba3 0x420069e4
0xbfffdf90: 0x20676964 0x41414140 0x41414141 0x41414141
0xbfffdfa0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdfb0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdfc0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdfd0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdfe0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdff0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffe000: 0x41414141 0x41414141 0x41414141 0x42015500
0xbfffe010: 0x00000002 0xbfffe054 0xbfffe060 0x4001582c
0xbfffe020: 0x00000002 0x08048380 0x00000000 0x080483a1
0xbfffe030: 0x08048430 0x00000002 0xbfffe054 0x080484dc
0xbfffe040: 0x0804850c 0x4000c660 0xbfffe04c 0x00000000
0xbfffe050: 0x00000002 0xbffffbc5 0xbffffbd2 0x00000000
0xbfffe060: 0xbffffc4a 0xbffffc68 0xbffffc78 0xbffffc83
0xbfffe070: 0xbffffc91 0xbffffcb3 0xbffffcc6 0xbffffcd2
0xbfffe080: 0xbffffe95 0xbffffed7 0xbffffef3 0xbfffff04
0xbfffe090: 0xbfffff19 0xbfffff2a 0xbfffff3b 0xbfffff4d
...생략...
(gdb)
EBP는 0xbfffe008 이라서 RET 주소는 0x42015500 라고 생각했습니다.
덮어 쓰면 될 것 같아서 BOF는 어떻게 해결할 수 있을 것 같았는데요
질문은 리턴 주소가 디스어셈블리보시면 0x08048498번대 인데 0x42015500는
번지 자체가 어디인지 궁금합니다. 즉, 0x08XXXXXX이 되어야 될 것 같은데
0x42XXXXXX번대가 되어서요.
0x42015500는 무슨 함수 리턴일까요?
스택은
/////////////////
/ dig @ (5바이트)/
/115바이트 /
/SFP(4바이트) /
/RET(4바이트) / <-질문의 리턴은 어떤 함수 리턴인지요..(제생각은 main함수 리턴같아 보입니다만)
libc start main일겁니다.
메인 함수는 단독으로 실행되는 것 같지만, 어떤 함수, 즉 libc stsrt main 내에서 실행되는 함수니까 메인의 ret은 해당 함수겠죠.
해당 주소 값들을 출력해보시면 바로 보실 수 있으실거에요 ㅎㅎ