AlfaLogic

Veni, Vidi, Vici!

NarniaOverTheWire

Narnia1

alfamyk

URL: http://overthewire.org/wargames/narnia/narnia1.html

Since there is no information available on the OTW webpage, let’s log into the server using credentials of narnia0

Fig, 1

Let’s have a look at the working directory.

Fig. 2

So, we have access to a setuid binary program along with it’s source. We need to analyze the source and solve the level. Let’s have a look at the source code.

Fig. 3

Upon analysis, it’s evident that what we need to do is to get the value of valbeing equal to 0xdeadbeef. Note that the character array buf was sized to be of 20 characters, but the input taken by scanf() is a 24 character string. This leaves the program vulnerable to a memory corruption attack as we shall see.

Let’s first give it a trial run.

Fig. 4

The input we provided here is “0123456789012345678” which is of length 19. Actually, the length will be 20 because of the addition of the null character. So, that should be the max length the array buf should be able to hold.

Now, let’s add one more character to make the length 21 and see what happens.

Fig. 5

Notice what happened? The value of val changed! Note that the LSB of val is now set to 0. The last character of buf, which was a null character “overflowed” into the memory region allocated to val. Now, using this vulnerability, we can possibly have total control over the value of the variable val!!

Let’s add more characters to see if we can modify all of the bytes of val.

Fig. 6

So, we now have total control ofval. Note that the value of the bytes we overwrote are the ASCII equivalent of the ones we provided in the string. Also, they occur in the reverse order than entered.

So, if we want val to have the value of 0xdeadbeef, we have to provide the ASCII equivalent of the sequence: 0xef, 0xbe, 0xad, 0xde. These may not be printable characters so we should pass them in form of bytes only. This can be done using echo command and piping it’s output to the program.

Fig. 7

Now, we have provided the proper value, but it seems, the program is not waiting for us to provide input and instead proceeds to close the program. We need to pause the program long enough for us to get the password.

We can do that by creating a command group, which chains input to the program. It works as follow: (command1; command2;) | ./narnia0. A command group will first provide command1 to the program, i.e. the scanf(). The next part, command2, will be provided to the shell. After a couple of tries using common command, we can get the shell to stay.

Fig. 8

Level complete!

Username: narnia1
Password: **********


You May Also Like

Bandit1

alfamyk

Natas0

alfamyk

Bandit0

alfamyk

Leave a Reply

Your email address will not be published. Required fields are marked *