Level17
After logging in with level17 account, check the hint as follows.
Unlike the previous problem, there was a function to execute a shell in the program, but it does not exist in this program. In order to catch the attack direction, I first analyze it with gdb.
A total of 56 bytes are allocated for the memory space. Put the start address of printout in ebo-16 and execute printout through call function.I let the call()l function execute the system() function and system() function to execute “/bin/sh”.I put the address of system() function at the location of call() function and the address of /bin/sh at the beginning of the array using the point where the call() function ends and ebp+4 is located. How to get the address of system() is /bin/sh is omitted because it was covered in level11.
No comments:
Post a Comment