Level16
After accessing level16 account, check the hint as follows.
When viewed in the code. If I call up the shell() function using call function in the main, I can execute the level17 shell. After copying to the tmp folder, I execute the program added a line of code to find out the memory structure.
And then, I analyze the attackme using gdb.
Based on above two analysis, The structure of stack is shown as follows.
I need the address of shell() function. Because I execute the shell() function through the call() function. So, I find address of the shell() function using gdb.
When I disassemble the shell, I find the starting address of shell function. When I type dummy values as 40byte and the address of shell() function, the call function execute the shell() function.
As a result, the level17 shell is executed. I confirm the password of level17 is “king poetic”.
No comments:
Post a Comment