[3] dark_eyes -> hell_fire ( Fake EBP & fgets Cache memory / mprotect)
dark_eyes / because of you [ hellfire.c ]12345678910111213141516171819202122232425262728 #include int main(){ char buffer[256]; char saved_sfp[4]; char temp[1024]; printf("hell_fire : What's this smell?\n"); printf("you : "); fflush(stdout); // give me a food fgets(temp, 1024, stdin); // save sfp memcpy(saved_sfp, buffer+264, 4); // overflow!! strcpy(buffer, temp); // restore sfp memcpy(buffer+2..
2017.11.28