Narnia 3#

C File#

1
int main(int argc, char **argv){
2

3
    int  ifd,  ofd;
4
    char ofile[16] = "/dev/null";
5
    char ifile[32];
6
    char buf[32];
7

8
    if(argc != 2){
9
        printf("usage, %s file, will send contents of file 2 /dev/null\n",argv[0]);
10
        exit(-1);
11
    }
12

13
    /* open files */
14
    strcpy(ifile, argv[1]);
15
    if((ofd = open(ofile,O_RDWR)) < 0 ){
16
        printf("error opening %s\n", ofile);
17
        exit(-1);
18
    }
19
    if((ifd = open(ifile, O_RDONLY)) < 0 ){
20
        printf("error opening %s\n", ifile);
21
        exit(-1);
22
    }
23

24
    /* copy from file1 to file2 */
25
    read(ifd, buf, sizeof(buf)-1);
26
    write(ofd,buf, sizeof(buf)-1);
27
    printf("copied contents of %s to a safer place... (%s)\n",ifile,ofile);
28

29
    /* close 'em */
30
    close(ifd);
31
    close(ofd);
32

33
    exit(1);
34
}

Approach#

Again we another unsafe strcpy, but this time we can’t rewrite the return address since they are using exit

What we can do though is overwrite the ofile to whatever we want

The only problem is that our ifile will have to be a string + contents of ofile, or ofile is the substring of ifile after 32 chars

Solution#

1
/narnia/narnia3 /tmp/tmp.3TVcyK0aB0/hello123456/pass

When we do this our ifile becomes /tmp/tmp.3TVcyK0aB0/hello123456/pass and our ofile becomes pass

Now we just make a symbolic link from /tmp/tmp.3TVcyK0aB0/hello123456/pass to /etc/narnia_pass/narnia4, and keep an empty local file called pass

Now when the code runs it will copy the contents of the password into our local pass file

We open up our file, grab the password, and move on

Conclusion#

Again be careful with strcpy as its an easy way to cause a buffer overflow