Root-me
int size;
if(read(fd, &size, sizeof(int)) != sizeof(int)) # the vulnerable part !!!
.....
if(size >= BUFFER)
{
printf("[-] Path too long.\n");
exit(0);
}
.....
while(read(fd, data, 1) == 1 && *data && size)
This code has a integer overflow bug getting a char input in integer causes the size var to overflow if we give ascii value of 0xffffffff
hence after overflowing int we get size= -1 therfore we can read as many bytes we want that's it capture eip !!!
But the &(buffer) differ in gdb and outside figuring that was little bit tough job somehow by luck i got it right :)
python -c 'import struct;print struct.pack(" /tmp/siva/imp
You could also use ret2libc attack the advantage is you need not guess &(buffer) coz only addr of var at stack differ with gdb but not the addr at libc ..
The int is by default unsigned so to give -1 you have to supply it's 2's compliment i.e 0xffffffff