The MCPA competitive hacking team, also known as the Hammer of Thor (HoT), competes in private and public competitions on a regular basis in order to enhance individual technical abilities across the MCPA member base. HoT competes during specified events as directed by the Team Captain.
This is a solution guide to the Narnia2 Level at overthewire This write-up was originally created on 28 February 2015.
Challenge Description: Narnia2 is another buffer overflow vulnerable program. This challenge builds on Narnia0 and Narnia1 where an attacker must determine the proper buffer overflow offset and place shellcode in a location that is known. This allows an attacker to execute arbitrary code.
First connect to the lab
ssh narnia2@narnia.labs.overthewire.org
Enter the following as the password nairiepecu
Change directories to the narnia games folder cd /narnia. Next, let’s examine how we get the password for the next level less narnia2.c.
This challenge appears to revolve around a simple buffer overflow. Notice that
the strcpy will take whatever argument is in argv and copy it to the buffer. Also
that there is no bounds checking - as a result it is possible to overwrite the
return address following printf.
First, let’s figure out how large the buffer is that we need to overflow. We know
buf is 128 bytes, so let’s setup that first.
So lets test it out, but first lets find a good breakpoint in gdb. Startup narnia2 inside gdb with the following command: gdb ./narnia2 and then:
Since we are attempting to target the last ret, lets set a breakpoint
at the leave instruction with the following gdb command: break *0x080484c1
Now we are ready to experiment! Now run a string that is a total of 140 bytes.
Okay, now that we know we crash let’s verify that we can take control of the program.
We can test this by adding 4 known bytes to see if we crash at the address we have
chosen.
Now we know we can take control of the program! so now we have to pick a good address
that we want to return to. A good way to do this is to examine esp and subtract our
buffer length so see where our shellcode can start.
So now we know the earliest starting address is 0xffffd5c0. Next we should craft our exploit. The first step is to grab some shellcode from shell storm. Next, let’s craft our exploit together with the shellcode.
Notice that I have added some padding, this is mainly to help my exploit so that I don’t have to be as precise and it also helps since the environment variables change when I exit the debugger. Now, we can try out exploit, but first let’s see what it looks like in the stack so that we can compare against our previous test.
Notice that we now have shellcode that is interwoven between our “A”s and “B”s to assist
with accounting for changes once we leave the debugger. So now we can pick a return address
somewhere inside the “A”s. I am going to select an address in the middle, 0xffffd5e0.
Great it worked! Now, let’s try it outside the debugger.
BINGO, it worked and we didn’t even have to worry about our address because of the padding!
Level 3 password is vaequeezee