Narnia 1 - OverTheWire - Updated Walktrough
Narnia 1 is about teaching you to write, inject and use ShellCode.
*NOTE - this tutorial is for programmers like me, that just learn some web programming, maybe having fun with some hacking ect., no idea about c or assembler. If you're a computer science deg. this might be wwaayy over simplifying, and therefor its not for you.
The main purpose of this tutorial is not HOW to solve narnia1, but to UNDERSTAND how to solve it a-z.
What's ShellCode? Its a crafted piece of code, usually meant for a shell, usually binary code (in hex representation, called Object Code)
So as stated there are 3 stages here, -write, -inject, -run. I'll start from the last.
RUN YOUR SHELLCODE
Well, in order to run your shellcode, you need to know where is the exploit, and adapt the code to that, so lets open narnia and lets see the exlpoit in "narnia1.c":
ret = getenv("EGG");
ret();
Well, whats "ret"? It is defined "int (*ret)();", and when googling that it means a function pointer, expected to return and int.
That goes will when googling what "getenv", which is returning the pointer to an
Environment Variable.
*If you don't know what a pointer is, please learn about that, its important, since if this couple breaks and one of them is not a pointer it won't work.
Therefor we now understand that the code in "narnia1", it's a program that's running a function that has its pointer in the Environment Variable of "EGG".
So if we want to exploit that, we can try running our own code in that function.
INJECT YOUR SHELLCODE
As said, we can just inject our own code to "EGG". For that we need to understand a very simple thing, that code is a "c" compiled code running, so we cant send c there... that won't work.
So to what C is being compiled to? C (and many other "elite" or "high-level" languages) compiles to Assembler (a "low level" language), and that gets "assembled" or "relocate" or "mapped" to Object Code or Binary Code.
So in the end what you will want to inject some Binary Code or Object Code (which can be written in hex instead of binary, since the computer works in bytes). Write some hex Object Code to "EGG" and you have your exploit.
WRITE YOUR SHELLCODE
This is the part where everything gets interesting. 1st of all you don't really have to write any code, when you get that you can just google "shellcode x" where "x" is the code you need, already prepared and tested for you like from http://shell-storm.org/shellcode/ which is referenced as the Shellcode DB.
But that's all boring and we didn't learn anything. Its like the closest thing to a spoiler.
BTW you can do all kind of ShellCode with a tool called "msfvenom" but i couldn't find a way causing it to create a ShellCode for "seteuid(geteuid(),geteuid())", i guess since there isn't a way doing it from shell.
Therefor, we MUST turn to... Assembly.
Why not c? Well, here is your stack answer. To make is super short and simple, when c compiles to assembler it generates call address, and in the target machine you don't have that address, so you need to use system call directly.
ASSEMBLER INTRODUCTION
You should go and quickly do a little assembly tutorial.
Now lets get to the point, we want to call c functions via assembler. All those functions lie in a file that is a table for them,
Next, talking in x32, lets go. Since we want to do system calls lets see them, but we all now have x64 linux its in a different file than in the x32:
"head -20 /usr/include/x86_64-linux-gnu/asm/unistd_32.h"
we can look for specific command, for example we now know that even when there is the "s" flag on a file we still need to call "setreuid" to make it effective, so
"cat /usr/include/x86_64-linux-gnu/asm/unistd_32.h | grep setreuid"
*NOTE - this tutorial is for programmers like me, that just learn some web programming, maybe having fun with some hacking ect., no idea about c or assembler. If you're a computer science deg. this might be wwaayy over simplifying, and therefor its not for you.
The main purpose of this tutorial is not HOW to solve narnia1, but to UNDERSTAND how to solve it a-z.
What's ShellCode? Its a crafted piece of code, usually meant for a shell, usually binary code (in hex representation, called Object Code)
So as stated there are 3 stages here, -write, -inject, -run. I'll start from the last.
RUN YOUR SHELLCODE
Well, in order to run your shellcode, you need to know where is the exploit, and adapt the code to that, so lets open narnia and lets see the exlpoit in "narnia1.c":
ret = getenv("EGG");
ret();
That goes will when googling what "getenv", which is returning the pointer to an
Environment Variable.
*If you don't know what a pointer is, please learn about that, its important, since if this couple breaks and one of them is not a pointer it won't work.
Therefor we now understand that the code in "narnia1", it's a program that's running a function that has its pointer in the Environment Variable of "EGG".
So if we want to exploit that, we can try running our own code in that function.
INJECT YOUR SHELLCODE
As said, we can just inject our own code to "EGG". For that we need to understand a very simple thing, that code is a "c" compiled code running, so we cant send c there... that won't work.
So to what C is being compiled to? C (and many other "elite" or "high-level" languages) compiles to Assembler (a "low level" language), and that gets "assembled" or "relocate" or "mapped" to Object Code or Binary Code.
So in the end what you will want to inject some Binary Code or Object Code (which can be written in hex instead of binary, since the computer works in bytes). Write some hex Object Code to "EGG" and you have your exploit.
WRITE YOUR SHELLCODE
This is the part where everything gets interesting. 1st of all you don't really have to write any code, when you get that you can just google "shellcode x" where "x" is the code you need, already prepared and tested for you like from http://shell-storm.org/shellcode/ which is referenced as the Shellcode DB.
But that's all boring and we didn't learn anything. Its like the closest thing to a spoiler.
BTW you can do all kind of ShellCode with a tool called "msfvenom" but i couldn't find a way causing it to create a ShellCode for "seteuid(geteuid(),geteuid())", i guess since there isn't a way doing it from shell.
Therefor, we MUST turn to... Assembly.
Why not c? Well, here is your stack answer. To make is super short and simple, when c compiles to assembler it generates call address, and in the target machine you don't have that address, so you need to use system call directly.
ASSEMBLER INTRODUCTION
You should go and quickly do a little assembly tutorial.
Now lets get to the point, we want to call c functions via assembler. All those functions lie in a file that is a table for them,
Next, talking in x32, lets go. Since we want to do system calls lets see them, but we all now have x64 linux its in a different file than in the x32:
"head -20 /usr/include/x86_64-linux-gnu/asm/unistd_32.h"
we can look for specific command, for example we now know that even when there is the "s" flag on a file we still need to call "setreuid" to make it effective, so
"cat /usr/include/x86_64-linux-gnu/asm/unistd_32.h | grep setreuid"
חח, איזה גבר. אהבתי את ה ברסלבלופר. לך בכוחך זה והושעת את ישראל! :)
ReplyDelete