{"id":21579,"date":"2020-01-02T20:28:32","date_gmt":"2020-01-02T20:28:32","guid":{"rendered":"https:\/\/hackmethod.com\/?p=21579"},"modified":"2020-01-04T16:37:35","modified_gmt":"2020-01-04T16:37:35","slug":"overthewire-narnia-4","status":"publish","type":"post","link":"https:\/\/hackmethod.com\/overthewire-narnia-4\/","title":{"rendered":"OverTheWire – Narnia 4"},"content":{"rendered":"\n

Welcome back! In the last level, we covered narnia3, which was a good play with buffer overflows and file permissions. Now that we\u2019ve successfully owned narnia3, let\u2019s move on to narnia4.<\/p>\n\n\n\n

Introduction<\/h2>\n\n\n\n
\/*\n  This program is free software; you can redistribute it and\/or modify\n  it under the terms of the GNU General Public License as published by\n  the Free Software Foundation; either version 2 of the License, or\n  (at your option) any later version.\n \n  This program is distributed in the hope that it will be useful,\n  but WITHOUT ANY WARRANTY; without even the implied warranty of\n  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n  GNU General Public License for more details.\n \n  You should have received a copy of the GNU General Public License\n  along with this program; if not, write to the Free Software\n  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA \n  02110-1301  USA\n*\/\n \n#include <string.h>\n#include <stdlib.h>\n#include <stdio.h>\n#include <ctype.h>\n \nextern char **environ;\n \nint main(int argc,char **argv){\n   int i;\n   char buffer[256];\n \n   for(i = 0; environ[i] != NULL; i++)\n       memset(environ[i], '\\0', strlen(environ[i]));\n \n   if(argc>1)\n       strcpy(buffer,argv[1]);\n \n   return 0;\n}\n\n<\/code><\/pre>\n\n\n\n
Static Code Analysis<\/h2>\n\n\n\n
<\/p>\n\n\n\n
I will not be covering the includes this time, as the previous walkthrough has already covered how most of them work. For more information on this, refer to the narnia3 article.<\/p>\n\n\n\n
extern char **environ;\n<\/code><\/pre>\n\n\n\n
According to http:\/\/man7.org\/linux\/man-pages\/man7\/environ.7.html<\/a> , \u201cThe variable environ<\/em> points to an array of pointers to strings called the “environment”.  The last pointer in this array has the value NULL. By convention the strings in environ<\/em> have the form “name<\/em>=<\/strong>value<\/em>“.\u201d This basically means that this variable will point to environment variables, for example SHELL, PATH, etc. <\/p>\n\n\n\n
char buffer[256];<\/code><\/pre>\n\n\n\n
The above line tells us that we have an available buffer of 256 bytes. This is what we will use, along with the dangerous strcpy function to cause a buffer overflow.<\/p>\n\n\n\n
for(i = 0; environ[i] != NULL; i++)\n       memset(environ[i], '\\0', strlen(environ[i]));<\/code><\/pre>\n\n\n\n
The above section of code is where things get interesting. These lines are responsible for clearing out any environment variables, and setting them to NULL. This means that we will have to directly send our payload to the binary using arguments. We will not be able to send shellcode through environment variables.<\/p>\n\n\n\n
strcpy(buffer,argv[1]);<\/code><\/pre>\n\n\n\n
The above line is the vulnerable section of this program. The strcpy function takes input supplied by the user and copies that input to the buffer. <\/p>\n\n\n\n
Now the only problem is that strcpy has no check whatsoever as to how many bytes should be copied, which means that strcpy will endlessly copy the bytes until it reaches the end of the user supplied string, which may result in a buffer overflow if the number of bytes exceeds the buffer.  <\/p>\n\n\n\n
<\/p>\n\n\n\n
Exploit Staging and Development<\/h2>\n\n\n\n
<\/p>\n\n\n\n
Our objective is to cause a buffer overflow in the narnia4 setuid binary (owned by narnia5), which will give us a shell as narnia5. Take a look at Fig 1.4:<\/p>\n\n\n\n
\"\"
Fig 1.4 shows the permissions of the narnia4 binary. Note that it will be executed as narnia5<\/figcaption><\/figure><\/div>\n\n\n\n
Now that our basic code analysis is done, and we have understood the important operations of the binary, let\u2019s take it into gdb and play around with it. We will do this by executing:<\/p>\n\n\n\n
narnia4@narnia:\/narnia$ gdb narnia4<\/code><\/pre>\n\n\n\n
After a few tries to cause a buffer overflow, I found that 264 A’s + 4 B’s would overwrite EIP perfectly with the 4 B’s. I started with 270 As and then worked back how many As would be needed until EIP contains the 4 B’s. This can be seen in Fig 1.1:<\/p>\n\n\n\n
\"\"
Fig 1.1 shows a successful buffer overflow attempt<\/figcaption><\/figure><\/div>\n\n\n\n
By taking a look at Fig 1.2 below, it is safe to conclude that we have about 268 bytes available for shellcode which will overwrite the RET (return) address. Our buffer starts at 0xffffd780 and ends at 0xffffd888.<\/p>\n\n\n\n
\"\"
Fig 1.2 shows the memory dump of ESP (first 250 bytes), achieved by the gdb command: x\/250x $esp
<\/figcaption><\/figure><\/div>\n\n\n\n
I will be using 0xffffd7a0 as the RET address, as this is conveniently closer to the start of the buffer. Now, all we need to do is replace the As with \\x90, which will serve as our NOP sled, and then add the shellcode and the ret address in. Our rough exploit structure will look something like this:<\/p>\n\n\n\n
239 NOPS + 25 byte shellcode (already in little endian) + 4 byte RET address (little endian)<\/p>\n\n\n\n
The shellcode below is what I will be using to spawn a shell. More specifically, it executes \/bin\/sh. Note that this is 25 bytes long.<\/p>\n\n\n\n
\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\x89\\xc2\\xb0\\x0b\\xcd\\x80\n<\/code><\/pre>\n\n\n\n
With that being said, let\u2019s give it a shot outside gdb! Fig 1.3 shows the exploit structure.<\/p>\n\n\n\n
Once you have successfully exploited this binary, you will use your newfound leverage to get the password for the next level. Simply cat \/etc\/narnia_pass\/narnia5. You will use this in order to login as user narnia5 in order to solve the next challenge. <\/p>\n\n\n\n
\"\"
Fig 1.3 shows a successful buffer overflow exploit<\/figcaption><\/figure><\/div>\n\n\n\n
This challenge really touches upon the essentials of a basic buffer overflow exploit, that can only be done by passing our desired shellcode using the binary’s arguments only.  I hope you enjoyed this challenge, and I will see you in the next challenge!<\/p>\n\n\n\n
<\/p>\n\n\n\n
 If you missed out on Narnia Level 3 click the button on the left to check it out.  If you\u2019re all caught up and want to see more, Level 5 is  coming soon.<\/p>\n\n\n\n
 <\/p>\n\n\n\n
\n
\n
Narnia Level 3<\/a><\/div>\n<\/div>\n\n\n\n
\n
Narnia Level 5
Coming Soon!<\/a><\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
Welcome back! In the last level, we covered narnia3, which was a good play with buffer overflows and file permissions. Now that we\u2019ve successfully owned narnia3, let\u2019s move on to narnia4. Introduction Static Code Analysis I will not be covering the includes this time, as the previous walkthrough has already covered how most of them work. For […]<\/p>\n","protected":false},"author":89,"featured_media":1842,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[52],"tags":[],"class_list":["post-21579","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2016\/01\/NarniaImage.jpeg?fit=600%2C400&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5zY4D-5C3","_links":{"self":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/21579","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/users\/89"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/comments?post=21579"}],"version-history":[{"count":24,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/21579\/revisions"}],"predecessor-version":[{"id":21700,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/21579\/revisions\/21700"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media\/1842"}],"wp:attachment":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media?parent=21579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/categories?post=21579"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/tags?post=21579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}