Let's go back to another reverse engineering challenge from OverTheWire. Today we'll be dealing with a little different type of buffer overflow.
This time, we can start by firstly running the program.
But what can we see in the source code?
This code may look complicated at first. But, after taking a closer look, we can see a potential buffer overflow vulnerability in ifile buffer, which is 32 bytes in size.
Because strcpy() does not perform any checks of the length of the input, if I give a file name longer than 32 bytes in length, I would be able to overwrite the ofile from /dev/null to another file.
It's known bug in the strcpy man pages:
If the destination string of a strcpy() is not large enough, then anything might happen. Overflowing fixed-length string buffers is a favorite cracker technique for taking complete control of the machine. Any time a program reads or copies data into a buffer, the program first needs to check that there's enough space. This may be unnecessary if you can show that overflow is impossible, but be careful: programs can get changed over time, in ways that may make the impossible possible.
Firstly, I'm going to create a file in /tmp directory, where possibly, the password for the next level will end up.
Then, I'm going to use Python and calculate how long the directory should be, together with /tmp/ beggining. We can also generate letters for our directory name.
Now, let's move on and create a directory. But because its name will only fulfill the buffer, we have to add another one, which will overwrite the buffer.
Now we can create a link using ln command on w3ndige file, to the password file. This means that when we cat the created file, it will actually cat the content of the password file “/etc/narnia_pass/narnia4”. We can also see, if it works, using ls command.
Now we have to pass this directory, as an argument, to the binary. Let's pray it works.
And it worked, now we have the password!
Once gain thanks OverTheWire! I'm definitely looking forward to new challenges from Narnia, as I'm getting more and more interested in reverse engineering.
Keep learning and stay safe! ~ W3ndige