Level18
After logging in with level18 account, check the hint as follows.
When I look at the code, If I have more than 100 characters in the string array, The program outputs “what are you trying to do?”. If the check variable is set to 0xdeadbeef, then shellout() is executed and a shell with level19 permission is executed. I put “A”*100 to make sure the code is right.
As expected, what are you trying to do? is displayed. Now, I use the following code to confirm the positional relationship between variables.
After compiling the above code and executing the program, the result is as follows.
Base on the above results, the following diagram shows the stack.
the count variable is located at an address lower than the string variable, so it is not easy to use the BOF method.
Since the level19 shell only needs to enter 0xdeadbeef into the check variable, I proceed to change the value of the check variable by manipulating the pointer.Since the check variable is the same as string[-4], we moved the pointer by putting “\x08” 4times to reduce the count by 4, and then put 0xdeadbeef.
shellout() is executed and the level19 shell is executed, and I confirm the password of level19 using my-pass command.
No comments:
Post a Comment