ELF>@5@8 @"!@@@888HH hh h  xx x TTTDDPtdTTQtdRtdhh h /lib64/ld-linux-x86-64.so.2GNUGNU>ܻ_3!bM )gUa fHO4{;V _ l"A . libc.so.6fopenperrorputs__stack_chk_failstdinprintffgetsstdoutfclosesystemstrtoullfwritefread__cxa_finalize__libc_start_mainGLIBC_2.4GLIBC_2.2.5_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTableii ui h  p p                          HH HtH5 % @% h% h%z h%r h%j h%b h%Z h%R hp%J h`%B h P%: h @%R f1I^HHPTLH sH=T DH=) UH! H9HtH Ht ]f.]@f.H= H5 UH)HHHH?HHtH Ht ]f]@f.= u/H=w UHt H=z H ]fDUH]fUHH=f]UHH dH%(HE1H5H=vHHu0H=i"H  HHHUHHHѺHHHuHHHEdH3%(tUHH dH%(HE1HDžƅsH=@#H=H= H=$H=H=H=H=H5H=H=H=H HHHHHHHHH=~H=mHF HHbHHǸ>< CHEdH3%(tUH_]AWAVAAUATL% UH- SIIL)HHOHt 1LLDAHH9uH[]A\A]A^A_Ðf.HH/bin/shr/proc/self/mapsCouldn't open /proc/self/maps!------------ Welcome to format string exploitation! ------------ Format strings are dangerous. Never call `printf` on untrusted input. Because `printf` is varargs, it cannot know how many arguments were passed to it. As a result, it relies purely on the format string and will happily read off as many arguments as are requested by the stringHere are some useful tools for developing your exploit:1. $ operator: used to select which argument to print, e.g. `%10$c` will print the tenth argument as a char2. `n` format specifier: writes the number of characters printed so far into the location specified by the current argument, i.e. the current argument must be a pointer to where to write3. Field widths: Pads the value to a minimum of the specified size, e.g. %60c will print 59 spaces with a character at the end. (useful for adjusting printed character count in preparation for a %n)4. Length modifiers: l and h. Modify the length of the current argument by prepending a 'long' or 'short' to the type, respectively. e.g. %hd will print a short (16-bit), %lld will print a long long int (64-bit). Can also be applied with %n to write more/fewer bytes. By the way, here's my /proc/self/maps:In this binary, you want to try to call `call_me` at %p With that said, exploit me!Give me a number: OK, I wrote 0x%llx to `your_number` at %p Go ahead: ;T X(p2E @`(zRx +zRx $FJ w?;*3$"DH\JAC N |=AC  AC  XAC L DPeBBE B(H0H8M@r8A0A(B BBB$x p   h p o h  oooopox &6FVfv GCC: (Ubuntu 7.2.0-8ubuntu3) 7.2.0,   8O2Tintni(i b   2  ( 0 =8 @ UH P @X Z` `h wbp i bt px F T #f cv !{ M) T* [+ b, i.- q/b p1| Z "Z ,` b) v 8"  8~;<-=`w`y`#b iJG( E j j{{ {8 f _buf _len -_ 8a % : ; I$ > $ >   I&I : ;  : ; I8 : ;I8 : ; I !I/ <4: ;I?<4: ; I?<!.?: ; @B.?: ; @B4: ; I!I/4: ; I.?: ; '@B= /usr/lib/gcc/x86_64-linux-gnu/7/include/usr/include/x86_64-linux-gnu/bits/usr/include/usr/include/x86_64-linux-gnu/bits/typesformat101.cstddef.htypes.hlibio.hFILE.hstdio.hsys_errlist.h  K>/4hvwY"w< hK__off_t_IO_read_ptr_chainsize_t_shortbuf_IO_2_1_stderr__IO_buf_baselong long unsigned intcall_melong long int_fileno_IO_read_end_flags_IO_buf_end_cur_column_old_offset/home/paul/projects/seclab/hackmeetings/2March2018_IO_markerstdinyour_number_IO_FILE_plus_IO_write_ptrsys_nerr_sbufshort unsigned intsecure_function_IO_save_base_lock_flags2_modestdout_IO_2_1_stdin__IO_write_end_IO_lock_t_IO_FILE_possys_errlist_markersunsigned charshort intformat101.c_vtable_offset_IO_2_1_stdout_inputprint_proc_maps_next__off64_t_IO_read_base_IO_save_end__pad1__pad2__pad3__pad4__pad5_unused2stderrGNU C11 7.2.0 -mtune=generic -march=x86-64 -gdwarf -fstack-protector-strong_IO_backup_basemain_IO_write_base8Ttp       h p x h     !p 7( Fp m yh Dp x h h   4 1  HZm    / < K X g@ e0 5+w  (    "q crtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.7632__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entryformat101.c__FRAME_END____init_array_end_DYNAMIC__init_array_start__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___libc_csu_fini_ITM_deregisterTMCloneTablestdout@@GLIBC_2.2.5puts@@GLIBC_2.2.5fread@@GLIBC_2.2.5stdin@@GLIBC_2.2.5_edatafclose@@GLIBC_2.2.5__stack_chk_fail@@GLIBC_2.4system@@GLIBC_2.2.5printf@@GLIBC_2.2.5__libc_start_main@@GLIBC_2.2.5fgets@@GLIBC_2.2.5call_mestrtoull@@GLIBC_2.2.5__data_start__gmon_start____dso_handle_IO_stdin_used__libc_csu_initprint_proc_maps__bss_startmainfopen@@GLIBC_2.2.5perror@@GLIBC_2.2.5secure_functionfwrite@@GLIBC_2.2.5__TMC_END___ITM_registerTMCloneTable__cxa_finalize@@GLIBC_2.2.5.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.data.bss.comment.debug_aranges.debug_info.debug_abbrev.debug_line.debug_str88#TT 1tt$Do(N V^opp&ko0zB  Thh hp px xh h   0 #3 0 c X$5'%A30&) 0 1%4>