behemoth - 05
来源:互联网 发布:机械杆做丝安全数据 编辑:程序博客网 时间:2024/05/22 13:04
#include <string.h>#include <stdlib.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#include <netdb.h>int main(int argc, char *argv[]){struct sockaddr_in toaddr;/* 0x3c */int sendstat;/* 0x38 */int sock;/* 0x34 */struct hostent *hent;/* 0x30 */char *buf;/* 0x2c */FILE *fp;/* 0x28 */int fsize;/* 0x24 */fp = fopen("/etc/behemoth_pass/behemoth6", "r");if (fp == NULL) {perror("fopen");exit(1);}fseek(fp, 0, SEEK_END);fsize = ftell(fp) + 1;rewind(fp);buf = (char *)malloc(fsize);fgets(buf, fsize, fp);buf[strlen(buf)] = '\0';/* ? need ? */fclose(fp);hent = gethostbyname("localhost");if (hent == NULL) {perror("gethostbyname");exit(1);}sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP);if (sock == -1) {perror("socket");exit(1);}toaddr.sin_port = htons(atoi("1337"));/* mov 0x30(%esp),%eax;eax = hentmov 0x10(%eax),%eax;eax = hent->h_addr_listmov (%eax),%eax;eax = hent->h_addr_list[0] ;it's a point. the memory value it point to is \x7f\x00\x00\x01mov (%eax),%eax;eax = 0x0100007f(little endian)mov %eax,0x40(%esp);0x40(%esp) = toaddr.sin_addr.s_addr */toaddr.sin_addr.s_addr = *(unsigned long *)hent->h_addr_list[0];memset(toaddr.sin_zero, 0, 8);sendstat = sendto(sock, buf, strlen(buf), 0 , (const struct sockaddr *)&toaddr, 16);if (sendstat == -1) {perror("sendto");exit(1);}close(sock);exit(0);}/** ser.c */#include <stdio.h>#include <errno.h>#include <string.h>#include <stdlib.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#define BUFSZ 200int port = 1337;int main(int argc, char *argv[]){char buf[BUFSZ];int rc;int fd = socket(AF_INET, SOCK_DGRAM, 0);struct sockaddr_in sin;sin.sin_family = AF_INET;sin.sin_addr.s_addr = htonl(INADDR_ANY);sin.sin_port = htons(port);if (bind(fd, (struct sockaddr*)&sin, sizeof(sin)) == -1) {printf("bind: %s\n", strerror(errno));exit(-1);}do {rc = read(fd,buf,BUFSZ);if (rc==-1) printf("read: %s\n", strerror(errno));else printf("received %d bytes: %.*s\n", rc, rc, buf);} while (rc >= 0);return 0;}
栈环境
root@today:~# ssh behemoth5@178.79.134.250behemoth5@178.79.134.250's password: aizeeshingbehemoth5@melinda:~$ cd /tmp/shui5behemoth5@melinda:/tmp/shui5$ ls ser ser.c sleep.shbehemoth5@melinda:/tmp/shui5$ gcc ser.c -o ser -m32behemoth5@melinda:/tmp/shui5$ ./ser &[1] 20089behemoth5@melinda:/tmp/shui5$ bind: Address already in use[1]+ Exit 255 ./serbehemoth5@melinda:/tmp/shui5$ netstat -ulnp | grep 1337udp 0 0 0.0.0.0:1337 0.0.0.0:* 19686/ser behemoth5@melinda:/tmp/shui5$ kill 19686behemoth5@melinda:/tmp/shui5$ ./ser &[1] 20154behemoth5@melinda:/tmp/shui5$ /behemoth/behemoth5received 11 bytes: mayiroechebehemoth5@melinda:/tmp/shui5$
┌─────────────────────────────────────────────────────────────────────────────────┐ │0x804873d <main> push %ebp │ │0x804873e <main+1> mov %esp,%ebp │ │0x8048740 <main+3> and $0xfffffff0,%esp │ │0x8048743 <main+6> sub $0x50,%esp │ │0x8048746 <main+9> mov 0xc(%ebp),%eax │ │0x8048749 <main+12> mov %eax,0x1c(%esp) │ │0x804874d <main+16> mov %gs:0x14,%eax │ │0x8048753 <main+22> mov %eax,0x4c(%esp) │ │0x8048757 <main+26> xor %eax,%eax │ │0x8048759 <main+28> movl $0x0,0x24(%esp) │ │0x8048761 <main+36> movl $0x80489f0,0x4(%esp) │ │0x8048769 <main+44> movl $0x80489f2,(%esp) │ │0x8048770 <main+51> call 0x80485d0 <fopen@plt> │ │0x8048775 <main+56> mov %eax,0x28(%esp) │ │0x8048779 <main+60> cmpl $0x0,0x28(%esp) │ │0x804877e <main+65> jne 0x8048798 <main+91> │ │0x8048780 <main+67> movl $0x8048a0f,(%esp) │ │0x8048787 <main+74> call 0x8048560 <perror@plt> │ │0x804878c <main+79> movl $0x1,(%esp) │ │0x8048793 <main+86> call 0x8048590 <exit@plt> │ │0x8048798 <main+91> movl $0x2,0x8(%esp) │ │0x80487a0 <main+99> movl $0x0,0x4(%esp) │ │0x80487a8 <main+107> mov 0x28(%esp),%eax │ │0x80487ac <main+111> mov %eax,(%esp) │ │0x80487af <main+114> call 0x8048550 <fseek@plt> │ │0x80487b4 <main+119> mov 0x28(%esp),%eax │ │0x80487b8 <main+123> mov %eax,(%esp) │ │0x80487bb <main+126> call 0x80485c0 <ftell@plt> │ │0x80487c0 <main+131> mov %eax,0x24(%esp) │ │0x80487c4 <main+135> addl $0x1,0x24(%esp) │ │0x80487c9 <main+140> mov 0x28(%esp),%eax │ │0x80487cd <main+144> mov %eax,(%esp) │ │0x80487d0 <main+147> call 0x8048530 <rewind@plt> │ └─────────────────────────────────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────────────────────────────────┐ │0x80487d5 <main+152> mov 0x24(%esp),%eax │ │0x80487d9 <main+156> mov %eax,(%esp) │ │0x80487dc <main+159> call 0x8048570 <malloc@plt> │ │0x80487e1 <main+164> mov %eax,0x2c(%esp) │ │0x80487e5 <main+168> mov 0x28(%esp),%eax │ │0x80487e9 <main+172> mov %eax,0x8(%esp) │ │0x80487ed <main+176> mov 0x24(%esp),%eax │ │0x80487f1 <main+180> mov %eax,0x4(%esp) │ │0x80487f5 <main+184> mov 0x2c(%esp),%eax │ │0x80487f9 <main+188> mov %eax,(%esp) │ │0x80487fc <main+191> call 0x8048510 <fgets@plt> │ │0x8048801 <main+196> mov 0x2c(%esp),%eax │ │0x8048805 <main+200> mov %eax,(%esp) │ │0x8048808 <main+203> call 0x80485a0 <strlen@plt> │ │0x804880d <main+208> mov 0x2c(%esp),%edx │ │0x8048811 <main+212> add %edx,%eax │ │0x8048813 <main+214> movb $0x0,(%eax) │ │0x8048816 <main+217> mov 0x28(%esp),%eax │ │0x804881a <main+221> mov %eax,(%esp) │ │0x804881d <main+224> call 0x8048520 <fclose@plt> │ │0x8048822 <main+229> movl $0x8048a15,(%esp) │ │0x8048829 <main+236> call 0x8048620 <gethostbyname@plt> │ │0x804882e <main+241> mov %eax,0x30(%esp) │ │0x8048832 <main+245> cmpl $0x0,0x30(%esp) │ │0x8048837 <main+250> jne 0x8048851 <main+276> │ │0x8048839 <main+252> movl $0x8048a1f,(%esp) │ │0x8048840 <main+259> call 0x8048560 <perror@plt> │ │0x8048845 <main+264> movl $0x1,(%esp) │ │0x804884c <main+271> call 0x8048590 <exit@plt> │ │0x8048851 <main+276> movl $0x0,0x8(%esp) │ │0x8048859 <main+284> movl $0x2,0x4(%esp) │ │0x8048861 <main+292> movl $0x2,(%esp) │ │0x8048868 <main+299> call 0x8048610 <socket@plt> │ └─────────────────────────────────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────────────────────────────────┐ │0x804886d <main+304> mov %eax,0x34(%esp) │ │0x8048871 <main+308> cmpl $0xffffffff,0x34(%esp) │ │0x8048876 <main+313> jne 0x8048890 <main+339> │ │0x8048878 <main+315> movl $0x8048a2d,(%esp) │ │0x804887f <main+322> call 0x8048560 <perror@plt> │ │0x8048884 <main+327> movl $0x1,(%esp) │ │0x804888b <main+334> call 0x8048590 <exit@plt> │ │0x8048890 <main+339> movw $0x2,0x3c(%esp) │ │0x8048897 <main+346> movl $0x8048a34,(%esp) │ │0x804889e <main+353> call 0x8048600 <atoi@plt> │ │0x80488a3 <main+358> movzwl %ax,%eax │ │0x80488a6 <main+361> mov %eax,(%esp) │ │0x80488a9 <main+364> call 0x8048540 <htons@plt> │ │0x80488ae <main+369> mov %ax,0x3e(%esp) │ │0x80488b3 <main+374> mov 0x30(%esp),%eax │ │0x80488b7 <main+378> mov 0x10(%eax),%eax │ │0x80488ba <main+381> mov (%eax),%eax │ │0x80488bc <main+383> mov (%eax),%eax │ │0x80488be <main+385> mov %eax,0x40(%esp) │ │0x80488c2 <main+389> movl $0x8,0x8(%esp) │ │0x80488ca <main+397> movl $0x0,0x4(%esp) │ │0x80488d2 <main+405> lea 0x3c(%esp),%eax │ │0x80488d6 <main+409> add $0x8,%eax │ │0x80488d9 <main+412> mov %eax,(%esp) │ │0x80488dc <main+415> call 0x80485e0 <memset@plt> │ │0x80488e1 <main+420> mov 0x2c(%esp),%eax │ │0x80488e5 <main+424> mov %eax,(%esp) │ │0x80488e8 <main+427> call 0x80485a0 <strlen@plt> │ │0x80488ed <main+432> movl $0x10,0x14(%esp) │ │0x80488f5 <main+440> lea 0x3c(%esp),%edx │ │0x80488f9 <main+444> mov %edx,0x10(%esp) │ │0x80488fd <main+448> movl $0x0,0xc(%esp) │ │0x8048905 <main+456> mov %eax,0x8(%esp) │ └─────────────────────────────────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────────────────────────────────┐ │0x8048909 <main+460> mov 0x2c(%esp),%eax │ │0x804890d <main+464> mov %eax,0x4(%esp) │ │0x8048911 <main+468> mov 0x34(%esp),%eax │ │0x8048915 <main+472> mov %eax,(%esp) │ │0x8048918 <main+475> call 0x80485f0 <sendto@plt> │ │0x804891d <main+480> mov %eax,0x38(%esp) │ │0x8048921 <main+484> cmpl $0xffffffff,0x38(%esp) │ │0x8048926 <main+489> jne 0x8048940 <main+515> │ │0x8048928 <main+491> movl $0x8048a39,(%esp) │ │0x804892f <main+498> call 0x8048560 <perror@plt> │ │0x8048934 <main+503> movl $0x1,(%esp) │ │0x804893b <main+510> call 0x8048590 <exit@plt> │ │0x8048940 <main+515> mov 0x34(%esp),%eax │ │0x8048944 <main+519> mov %eax,(%esp) │ │0x8048947 <main+522> call 0x8048630 <close@plt> │ │0x804894c <main+527> movl $0x0,(%esp) │ │0x8048953 <main+534> call 0x8048590 <exit@plt> │ └─────────────────────────────────────────────────────────────────────────────────┘
0 0
- behemoth - 05
- behemoth - 00
- behemoth - 01
- behemoth - 02
- behemoth - 03
- behemoth - 04
- behemoth - 06
- behemoth - 07
- 170903 WarGames-Behemoth(0)
- 170903 WarGames-Behemoth(1)
- 170904 WarGames-Behemoth(2)
- 170905 WarGames-Behemoth(3)
- 170906 WarGames-Behemoth(4)
- 170908 WarGames-Behemoth(7)
- 170907 WarGames-Behemoth(5-6)
- 05
- 05
- 05
- oracle 权限与角色查询语句
- 23.UITableView如何改变contentSize
- Unity3D学习笔记(十二)预制
- iOS 适配固定边距内容拉伸
- Java Reflection(二):Classes
- behemoth - 05
- 自定义属性--索引值
- 深入浅出 React Native:使用 JavaScript 构建原生应用
- 汉诺塔算法
- bat处理程序中定时关闭批处理启动的应用程序
- 消息队列 Kafka学习
- Unity3D学习笔记(十三)导出游戏
- android 聊天中 textview的气泡内容过多不换行导致出屏幕的解决办法
- android 依赖包间传递数据
