As a part of my New Year's resolutions I decided to improve my knowledge of binary exploitation, learn more by completing challenges from OverTheWire, especially Narnia, as they are aimed to people wanting to learn about basics.
Firstly, let's take a look at the code of this program.
Okay, now we know that the binary accepts one string input from the user and puts the string into a buffer of 20 bytes, then if the value of variable val is equal to 0xdeadbeef, we will get a shell. Let's try to send to 20 "A" characters, with 4 letters "B", in order to overflow the buffer, and overwrite the value of 0x41414141 with our "B" letters.
Great, now we know that it works and we're one step closer to the solution. Now let's think how we can change value to 0xdeadbeef. First thing to remember - the values need to be in hex format, not characters as I thought at first. In addition, I recalled that the bytes will be in reversed order, so we have to write them from the last to the first one.
We got the shell but it closed immediately! Let's find a way to keep it running, in order to view the password to the next level.
Unfortunately, it closed too quickly and the command was executed after the shell had closed. I tried many other commands, and noticed something strange - cat seemed to do exactly what we want!
But why is it working? From man page:
With no FILE, or when FILE is -, read standard input.
As I never tought before, this was a great challenge, and I think I got more interested in binary exploitation and reverse engineering. Can't wait to try out some other challenges, and I'll see you in the next one!
Keep learning and stay safe! ~ W3ndige