behemoth - 05

#include <string.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

int main(int argc, char *argv[])
{
	struct sockaddr_in toaddr;	/* 0x3c */
	int sendstat;		/* 0x38 */
	int sock;		/* 0x34 */
	struct hostent *hent;	/* 0x30 */
	char *buf;		/* 0x2c */
	FILE *fp;		/* 0x28 */
	int fsize;		/* 0x24 */

	fp = fopen("/etc/behemoth_pass/behemoth6", "r");
	if (fp == NULL) {
		perror("fopen");
		exit(1);
	}

	fseek(fp, 0, SEEK_END);
	fsize = ftell(fp) + 1;

	rewind(fp);

	buf = (char *)malloc(fsize);

	fgets(buf, fsize, fp);
	buf[strlen(buf)] = '\0';	/* ? need ? */

	fclose(fp);

	hent = gethostbyname("localhost");
	if (hent == NULL) {
		perror("gethostbyname");
		exit(1);
	}

	sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP);
	if (sock == -1) {
		perror("socket");
		exit(1);
	}

	toaddr.sin_port = htons(atoi("1337"));

	/* 
	mov    0x30(%esp),%eax	;eax = hent
	mov    0x10(%eax),%eax	;eax = hent->h_addr_list
	mov    (%eax),%eax	;eax = hent->h_addr_list[0]  ;it's a point. the memory value it point to is \x7f\x00\x00\x01
	mov    (%eax),%eax	;eax = 0x0100007f	(little endian)
	mov    %eax,0x40(%esp)	;0x40(%esp) = toaddr.sin_addr.s_addr
	 */
	toaddr.sin_addr.s_addr = *(unsigned long *)hent->h_addr_list[0];
	memset(toaddr.sin_zero, 0, 8);

	sendstat = sendto(sock, buf, strlen(buf), 0 , (const struct sockaddr *)&toaddr, 16);
	if (sendstat == -1) {
		perror("sendto");
		exit(1);
	}

	close(sock);
	exit(0);
}

/** ser.c */

#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define BUFSZ 200
int port = 1337;

int main(int argc, char *argv[])
{
	char buf[BUFSZ];
	int rc;

	int fd = socket(AF_INET, SOCK_DGRAM, 0);

	struct sockaddr_in sin;
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = htonl(INADDR_ANY);
	sin.sin_port = htons(port);

	if (bind(fd, (struct sockaddr*)&sin, sizeof(sin)) == -1) {
		printf("bind: %s\n", strerror(errno));
		exit(-1);
	}

	do {
		rc = read(fd,buf,BUFSZ);
		if (rc==-1) printf("read: %s\n", strerror(errno));
		else printf("received %d bytes: %.*s\n", rc, rc, buf);
	} while (rc >= 0);

	return 0;
}

棧環境

root@today:~# ssh [email protected]

[email protected]'s password: aizeeshing

behemoth5@melinda:~$ cd /tmp/shui5

behemoth5@melinda:/tmp/shui5$ ls   
ser  ser.c  sleep.sh

behemoth5@melinda:/tmp/shui5$ gcc ser.c -o ser -m32

behemoth5@melinda:/tmp/shui5$ ./ser &
[1] 20089
behemoth5@melinda:/tmp/shui5$ bind: Address already in use

[1]+  Exit 255                ./ser

behemoth5@melinda:/tmp/shui5$ netstat -ulnp | grep 1337
udp        0      0 0.0.0.0:1337            0.0.0.0:*                           19686/ser    
   
behemoth5@melinda:/tmp/shui5$ kill 19686

behemoth5@melinda:/tmp/shui5$ ./ser &
[1] 20154

behemoth5@melinda:/tmp/shui5$ /behemoth/behemoth5
received 11 bytes: mayiroeche

behemoth5@melinda:/tmp/shui5$ 

   ┌─────────────────────────────────────────────────────────────────────────────────┐
   │0x804873d <main>        push   %ebp                                              │
   │0x804873e <main+1>      mov    %esp,%ebp                                         │
   │0x8048740 <main+3>      and    $0xfffffff0,%esp                                  │
   │0x8048743 <main+6>      sub    $0x50,%esp                                        │
   │0x8048746 <main+9>      mov    0xc(%ebp),%eax                                    │
   │0x8048749 <main+12>     mov    %eax,0x1c(%esp)                                   │
   │0x804874d <main+16>     mov    %gs:0x14,%eax                                     │
   │0x8048753 <main+22>     mov    %eax,0x4c(%esp)                                   │
   │0x8048757 <main+26>     xor    %eax,%eax                                         │
   │0x8048759 <main+28>     movl   $0x0,0x24(%esp)                                   │
   │0x8048761 <main+36>     movl   $0x80489f0,0x4(%esp)                              │
   │0x8048769 <main+44>     movl   $0x80489f2,(%esp)                                 │
   │0x8048770 <main+51>     call   0x80485d0 <fopen@plt>                             │
   │0x8048775 <main+56>     mov    %eax,0x28(%esp)                                   │
   │0x8048779 <main+60>     cmpl   $0x0,0x28(%esp)                                   │
   │0x804877e <main+65>     jne    0x8048798 <main+91>                               │
   │0x8048780 <main+67>     movl   $0x8048a0f,(%esp)                                 │
   │0x8048787 <main+74>     call   0x8048560 <perror@plt>                            │
   │0x804878c <main+79>     movl   $0x1,(%esp)                                       │
   │0x8048793 <main+86>     call   0x8048590 <exit@plt>                              │
   │0x8048798 <main+91>     movl   $0x2,0x8(%esp)                                    │
   │0x80487a0 <main+99>     movl   $0x0,0x4(%esp)                                    │
   │0x80487a8 <main+107>    mov    0x28(%esp),%eax                                   │
   │0x80487ac <main+111>    mov    %eax,(%esp)                                       │
   │0x80487af <main+114>    call   0x8048550 <fseek@plt>                             │
   │0x80487b4 <main+119>    mov    0x28(%esp),%eax                                   │
   │0x80487b8 <main+123>    mov    %eax,(%esp)                                       │
   │0x80487bb <main+126>    call   0x80485c0 <ftell@plt>                             │
   │0x80487c0 <main+131>    mov    %eax,0x24(%esp)                                   │
   │0x80487c4 <main+135>    addl   $0x1,0x24(%esp)                                   │
   │0x80487c9 <main+140>    mov    0x28(%esp),%eax                                   │
   │0x80487cd <main+144>    mov    %eax,(%esp)                                       │
   │0x80487d0 <main+147>    call   0x8048530 <rewind@plt>                            │
   └─────────────────────────────────────────────────────────────────────────────────┘
   ┌─────────────────────────────────────────────────────────────────────────────────┐
   │0x80487d5 <main+152>    mov    0x24(%esp),%eax                                   │
   │0x80487d9 <main+156>    mov    %eax,(%esp)                                       │
   │0x80487dc <main+159>    call   0x8048570 <malloc@plt>                            │
   │0x80487e1 <main+164>    mov    %eax,0x2c(%esp)                                   │
   │0x80487e5 <main+168>    mov    0x28(%esp),%eax                                   │
   │0x80487e9 <main+172>    mov    %eax,0x8(%esp)                                    │
   │0x80487ed <main+176>    mov    0x24(%esp),%eax                                   │
   │0x80487f1 <main+180>    mov    %eax,0x4(%esp)                                    │
   │0x80487f5 <main+184>    mov    0x2c(%esp),%eax                                   │
   │0x80487f9 <main+188>    mov    %eax,(%esp)                                       │
   │0x80487fc <main+191>    call   0x8048510 <fgets@plt>                             │
   │0x8048801 <main+196>    mov    0x2c(%esp),%eax                                   │
   │0x8048805 <main+200>    mov    %eax,(%esp)                                       │
   │0x8048808 <main+203>    call   0x80485a0 <strlen@plt>                            │
   │0x804880d <main+208>    mov    0x2c(%esp),%edx                                   │
   │0x8048811 <main+212>    add    %edx,%eax                                         │
   │0x8048813 <main+214>    movb   $0x0,(%eax)                                       │
   │0x8048816 <main+217>    mov    0x28(%esp),%eax                                   │
   │0x804881a <main+221>    mov    %eax,(%esp)                                       │
   │0x804881d <main+224>    call   0x8048520 <fclose@plt>                            │
   │0x8048822 <main+229>    movl   $0x8048a15,(%esp)                                 │
   │0x8048829 <main+236>    call   0x8048620 <gethostbyname@plt>                     │
   │0x804882e <main+241>    mov    %eax,0x30(%esp)                                   │
   │0x8048832 <main+245>    cmpl   $0x0,0x30(%esp)                                   │
   │0x8048837 <main+250>    jne    0x8048851 <main+276>                              │
   │0x8048839 <main+252>    movl   $0x8048a1f,(%esp)                                 │
   │0x8048840 <main+259>    call   0x8048560 <perror@plt>                            │
   │0x8048845 <main+264>    movl   $0x1,(%esp)                                       │
   │0x804884c <main+271>    call   0x8048590 <exit@plt>                              │
   │0x8048851 <main+276>    movl   $0x0,0x8(%esp)                                    │
   │0x8048859 <main+284>    movl   $0x2,0x4(%esp)                                    │
   │0x8048861 <main+292>    movl   $0x2,(%esp)                                       │
   │0x8048868 <main+299>    call   0x8048610 <socket@plt>                            │
   └─────────────────────────────────────────────────────────────────────────────────┘
   ┌─────────────────────────────────────────────────────────────────────────────────┐
   │0x804886d <main+304>    mov    %eax,0x34(%esp)                                   │
   │0x8048871 <main+308>    cmpl   $0xffffffff,0x34(%esp)                            │
   │0x8048876 <main+313>    jne    0x8048890 <main+339>                              │
   │0x8048878 <main+315>    movl   $0x8048a2d,(%esp)                                 │
   │0x804887f <main+322>    call   0x8048560 <perror@plt>                            │
   │0x8048884 <main+327>    movl   $0x1,(%esp)                                       │
   │0x804888b <main+334>    call   0x8048590 <exit@plt>                              │
   │0x8048890 <main+339>    movw   $0x2,0x3c(%esp)                                   │
   │0x8048897 <main+346>    movl   $0x8048a34,(%esp)                                 │
   │0x804889e <main+353>    call   0x8048600 <atoi@plt>                              │
   │0x80488a3 <main+358>    movzwl %ax,%eax                                          │
   │0x80488a6 <main+361>    mov    %eax,(%esp)                                       │
   │0x80488a9 <main+364>    call   0x8048540 <htons@plt>                             │
   │0x80488ae <main+369>    mov    %ax,0x3e(%esp)                                    │
   │0x80488b3 <main+374>    mov    0x30(%esp),%eax                                   │
   │0x80488b7 <main+378>    mov    0x10(%eax),%eax                                   │
   │0x80488ba <main+381>    mov    (%eax),%eax                                       │
   │0x80488bc <main+383>    mov    (%eax),%eax                                       │
   │0x80488be <main+385>    mov    %eax,0x40(%esp)                                   │
   │0x80488c2 <main+389>    movl   $0x8,0x8(%esp)                                    │
   │0x80488ca <main+397>    movl   $0x0,0x4(%esp)                                    │
   │0x80488d2 <main+405>    lea    0x3c(%esp),%eax                                   │
   │0x80488d6 <main+409>    add    $0x8,%eax                                         │
   │0x80488d9 <main+412>    mov    %eax,(%esp)                                       │
   │0x80488dc <main+415>    call   0x80485e0 <memset@plt>                            │
   │0x80488e1 <main+420>    mov    0x2c(%esp),%eax                                   │
   │0x80488e5 <main+424>    mov    %eax,(%esp)                                       │
   │0x80488e8 <main+427>    call   0x80485a0 <strlen@plt>                            │
   │0x80488ed <main+432>    movl   $0x10,0x14(%esp)                                  │
   │0x80488f5 <main+440>    lea    0x3c(%esp),%edx                                   │
   │0x80488f9 <main+444>    mov    %edx,0x10(%esp)                                   │
   │0x80488fd <main+448>    movl   $0x0,0xc(%esp)                                    │
   │0x8048905 <main+456>    mov    %eax,0x8(%esp)                                    │
   └─────────────────────────────────────────────────────────────────────────────────┘
   ┌─────────────────────────────────────────────────────────────────────────────────┐
   │0x8048909 <main+460>    mov    0x2c(%esp),%eax                                   │
   │0x804890d <main+464>    mov    %eax,0x4(%esp)                                    │
   │0x8048911 <main+468>    mov    0x34(%esp),%eax                                   │
   │0x8048915 <main+472>    mov    %eax,(%esp)                                       │
   │0x8048918 <main+475>    call   0x80485f0 <sendto@plt>                            │
   │0x804891d <main+480>    mov    %eax,0x38(%esp)                                   │
   │0x8048921 <main+484>    cmpl   $0xffffffff,0x38(%esp)                            │
   │0x8048926 <main+489>    jne    0x8048940 <main+515>                              │
   │0x8048928 <main+491>    movl   $0x8048a39,(%esp)                                 │
   │0x804892f <main+498>    call   0x8048560 <perror@plt>                            │
   │0x8048934 <main+503>    movl   $0x1,(%esp)                                       │
   │0x804893b <main+510>    call   0x8048590 <exit@plt>                              │
   │0x8048940 <main+515>    mov    0x34(%esp),%eax                                   │
   │0x8048944 <main+519>    mov    %eax,(%esp)                                       │
   │0x8048947 <main+522>    call   0x8048630 <close@plt>                             │
   │0x804894c <main+527>    movl   $0x0,(%esp)                                       │
   │0x8048953 <main+534>    call   0x8048590 <exit@plt>                              │
   └─────────────────────────────────────────────────────────────────────────────────┘