up vote 1 down vote favorite

So I was running some wargames today, and it was all going well until I ran into one particular level. The reason I can't get it to work is that I have nowhere to put the shellcode; the two buffers are too small to fit any useful shellcode and all environment variables get memset to 0, as do any extra arguments.

The wargame is the "narnia" series from OverTheWire, level 6. I could just look up a solution, but I'd prefer to get a pointer in the right direction as opposed to being spoonfed the answer :)

Source follows:

/*
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

extern char **environ;

// tired of fixing values...
// - morla
unsigned long get_sp(void) {
       __asm__("movl %esp,%eax\n\t"
               "and $0xff000000, %eax"
               );
}

int main(int argc, char *argv[]){
        char b1[8], b2[8];
        int  (*fp)(char *)=(int(*)(char *))&puts, i;

        if(argc!=3){ printf("%s b1 b2\n", argv[0]); exit(-1); }

        /* clear environ */
        for(i=0; environ[i] != NULL; i++)
                memset(environ[i], '\0', strlen(environ[i]));
        /* clear argz    */
        for(i=3; argv[i] != NULL; i++)
                memset(argv[i], '\0', strlen(argv[i]));

        strcpy(b1,argv[1]);
        strcpy(b2,argv[2]);
        //if(((unsigned long)fp & 0xff000000) == 0xff000000)
        if(((unsigned long)fp & 0xff000000) == get_sp())
                exit(-1);
        fp(b1);

        exit(1);
}

Also, as an extra question, what is the whole function pointer arithmetic about? Could it be the key to the answer? I haven't done a whole lot of C or C++, so I'm not too educated in pointer-fu :)

share|improve this question
    
You should try to take a look at the community of security.stackexchange.com there should be more people prepared on this kind of question – rakwaht Mar 20 at 13:03
    
Plenty of space in argv[0...2] - you just need to write so that they do not need null bytes. Notice that the for-loop starts with i=3, and argv[3] is null already so it doesn't do anything there. – Antti Haapala Mar 20 at 13:04
    
But the thing is, if I put more than 8 bytes of data in argv[1] or argv[2], then the program is going to segfault because I'm trying to write outside of the current frame in strcpy, right? Do I need to do something like putting 7 bytes of data followed by a 0 byte and then my shellcode in argv[1] in order to keep it from writing more than 8 bytes? – Rasmus Beck Mar 20 at 13:44

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.