pretty good level I learned a few new stuff
so lets hit the game
fighting with the app till it crashes and hell yeah we start from fault
so we need to see what’s going on
much assembly to read but there is some stuff interesting
strlen memcpy memset
but the natural feeling memcpy is our way
lets see what inside esp
you will notice that our A’z life in the memory this is a good point that we are on the track
also, I found the source code is available it will save us sometimes to understand what the app do
2 functions good,bad
good drop the shell
bad function says some stuff
the main function lets see the logic of the app
one line function functionpinter == bad function
setting limit t to char buffer to 50 this is how u do it !!!.
if statement to check if the argument less than 4 char to return 0
send argv1 data to the buffer
override the memory of the buffer
then call the function functionpointer(); == bad
u call the bad function and i will call ur …..
okay now we know what’s going on
lets do the hard work
so lets do a break point after the memcpy love
run the gdb again with 60 char data
(gdb) r $(python -c “print ‘A’ * 60”)
and take a look of the ESP
here is our data
now we want to jump to function good so lets print function address’s
0x08048474 good this our target lets reverse it
\x74\x84\x04\x08
lets send the payload
the app say sorry and exit on address 0x80484a4
after re-looking what happen in ESP
we will notice that space between 0x41414141 and 0x080484a4 16 bit
so lets add more 16bit to the payload
new process <3