{"id":588,"date":"2023-05-01T11:14:41","date_gmt":"2023-05-01T09:14:41","guid":{"rendered":"https:\/\/mindshield.eu\/?p=588"},"modified":"2023-06-27T15:55:30","modified_gmt":"2023-06-27T13:55:30","slug":"narnia4","status":"publish","type":"post","link":"https:\/\/mindshield.eu\/index.php\/2023\/05\/01\/narnia4\/","title":{"rendered":"\ud83e\udd81Narnia 4"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

De retour pour le 4e challenge Narnia !<\/p>

Le challenge Narnia 4 ressemble \u00e9norm\u00e9ment au challenge Narnia2 vu pr\u00e9c\u00e9demment, il s\u2019agit de la m\u00eame faille de s\u00e9curit\u00e9.<\/p>

Commen\u00e7ons sans plus tarder \u00e0 diss\u00e9quer ce challenge !<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

D\u00e9couverte<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Le but de ce challenge est de r\u00e9ussir \u00e0 ex\u00e9cuter un shell gr\u00e2ce au setuid, afin d’obtenir le mot de passe de Narnia5.<\/p>

Comme vous avez pu le constater, il s\u2019agit de la m\u00eame faille de s\u00e9curit\u00e9 qu\u2019au cours du challenge Narnia2, c\u2019est-\u00e0-dire le strcpy.<\/p>

Nous pouvons reprendre les \u00e9tapes vues pr\u00e9c\u00e9demment :<\/p>

  1. D\u00e9terminer la taille du payload avec peda<\/li>
  2. R\u00e9cup\u00e9rer une adresse de retour<\/li>
  3. Modifier le payload pr\u00e9c\u00e9dent (narnia2) pour l\u2019adapter<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\n\t\t\t\t\t#include \r\n#include \r\n#include \r\n#include \r\n\r\nextern char **environ;\r\n\r\nint main(int argc,char **argv){\r\n    int i;\r\n    char buffer[256];\r\n\r\n    for(i = 0; environ[i] != NULL; i++)\r\n        memset(environ[i], '\\0', strlen(environ[i]));\r\n\r\n    if(argc&gt;1)\r\n        strcpy(buffer,argv[1]);\r\n\r\n    return 0;\r\n}\r\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d7aa111 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d7aa111\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-eda8e3a\" data-id=\"eda8e3a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7863967 elementor-widget elementor-widget-heading\" data-id=\"7863967\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Exploitation<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c7fd221 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c7fd221\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ef5332a\" data-id=\"ef5332a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8848d3d elementor-widget elementor-widget-heading\" data-id=\"8848d3d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">D\u00e9terminer la taille du payload\n<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-357e2d0 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"357e2d0\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-21b9f93\" data-id=\"21b9f93\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-0d22236 elementor-widget elementor-widget-text-editor\" data-id=\"0d22236\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Afin de d\u00e9terminer la taille du payload, il est pratique d&#8217;utiliser peda.<\/p><p>Peda est un d\u00e9buggueur bas\u00e9 sur gdb. Il a l&#8217;avantage d&#8217;\u00eatre tr\u00e8s graphique et donc plus facile \u00e0 utiliser que gdb.<\/p><p>Commen\u00e7ons par lancer peda avec la commande :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d0d8bdb elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d0d8bdb\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-13c9b25\" data-id=\"13c9b25\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a21e0e2 elementor-widget elementor-widget-code-highlight\" data-id=\"a21e0e2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>peda<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-be0c770 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"be0c770\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d42d62f\" data-id=\"d42d62f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-eeee2a9 elementor-widget elementor-widget-text-editor\" data-id=\"eeee2a9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>S\u00e9lectionner le fichier \u00e0 utiliser :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b04bf7a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b04bf7a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-cd842ce\" data-id=\"cd842ce\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8358cd3 elementor-widget elementor-widget-code-highlight\" data-id=\"8358cd3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>file \/narnia\/narnia4<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ff8e1bd elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ff8e1bd\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ec348de\" data-id=\"ec348de\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-00a4351 elementor-widget elementor-widget-text-editor\" data-id=\"00a4351\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tPour d\u00e9terminer o\u00f9 placer son breakpoint, utiliser la fonction <code>disassemble <\/code>:\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ea6068a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ea6068a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a1b75c9\" data-id=\"a1b75c9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-007e492 elementor-widget elementor-widget-code-highlight\" data-id=\"007e492\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>disassemble main<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-7475f66 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"7475f66\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-93eb1a3\" data-id=\"93eb1a3\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-156e3c3 elementor-widget elementor-widget-image\" data-id=\"156e3c3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"468\" height=\"753\" src=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/Untitled-6.png\" class=\"attachment-large size-large wp-image-590\" alt=\"\" srcset=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/Untitled-6.png 468w, https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/02\/Untitled-6-186x300.png 186w\" sizes=\"(max-width: 468px) 100vw, 468px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5b04634 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5b04634\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4349e66\" data-id=\"4349e66\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-306a4a4 elementor-widget elementor-widget-text-editor\" data-id=\"306a4a4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>On peut voir que le strcpy se situe au niveau de main +117, il peut \u00eatre int\u00e9ressant de placer le breakpoint \u00e0 ce niveau-l\u00e0.<\/p><p>Configurez un argument suffisamment long pour remplir de buffer de 256 char et le faire d\u00e9border, par exemple :\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ff51886 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ff51886\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0d49fb8\" data-id=\"0d49fb8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b8eab5f elementor-widget elementor-widget-code-highlight\" data-id=\"b8eab5f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>set args $(python2 -c 'print(\"A\"*256 + \"BBBB\")')<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b34e3db elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b34e3db\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b13e9c1\" data-id=\"b13e9c1\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3c954b8 elementor-widget elementor-widget-text-editor\" data-id=\"3c954b8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Lancer le programme avec la commande <code>run<\/code> et voyez ce qu\u2019il se passe. <br \/><br \/>Vous pouvez faire d\u00e9filer les commandes une \u00e0 une en tapant &#8220;<strong>n<\/strong>&#8221; puis en appuyant sur la touche <strong>Enter<\/strong>.<br \/><br \/><\/p><p>Comme vu dans le challenge Narnia 2, il ne reste plus qu\u2019\u00e0 d\u00e9terminer le moment o\u00f9 EIP prend la valeur \u2018BBBB\u2019 en modifiant le nombre de A.<br \/><br \/><\/p><p>Vous saurez, \u00e0 ce moment-l\u00e0, quelle longueur devra faire votre injection.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-508e28c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"508e28c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-9f8a7fd\" data-id=\"9f8a7fd\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-47b45e8 elementor-widget elementor-widget-heading\" data-id=\"47b45e8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">R\u00e9cup\u00e9rer une adresse de retour<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e055f0f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e055f0f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f0cfbca\" data-id=\"f0cfbca\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-799f36a elementor-widget elementor-widget-text-editor\" data-id=\"799f36a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Dans ce deuxi\u00e8me temps, vous pourrez r\u00e9cup\u00e9rer une adresse de retour pour votre injection. Comme d\u2019habitude, cette adresse doit tomber au niveau des \u201cA\u201d de votre injection.<\/p><p>Pour ce faire, au moment du <code>leave<\/code>, tapez la commande :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-318d70e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"318d70e\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-410c581\" data-id=\"410c581\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-53a76ff elementor-widget elementor-widget-code-highlight\" data-id=\"53a76ff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>x\/300x $esp<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-21d27da elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"21d27da\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f576c32\" data-id=\"f576c32\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b3382f6 elementor-widget elementor-widget-text-editor\" data-id=\"b3382f6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Cette commande permet de visualiser le contenu de la pile, en hexad\u00e9cimal,\u00a0 \u00e0 un instant T.<br \/>R\u00e9cup\u00e9rez une adresse o\u00f9 vous voyez de nombreux \u201cA\u201d (<code>0x41<\/code>).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-08afcad elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"08afcad\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-919a9c5\" data-id=\"919a9c5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c6e551a elementor-widget elementor-widget-heading\" data-id=\"c6e551a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Adapter le payload de Narnia2<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-20355fd elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"20355fd\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-51e55b6\" data-id=\"51e55b6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f0ee614 elementor-widget elementor-widget-text-editor\" data-id=\"f0ee614\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Si vous n\u2019aviez pas lu l\u2019article pour fabriquer le shellcode de Narnia2, <a href=\"https:\/\/mindshield.eu\/index.php\/2023\/03\/01\/narnia2\/\">cliquez ici<\/a> !<\/p><p>En r\u00e9sum\u00e9, voici les quelques \u00e9tapes \u00e0 suivre :<\/p><ol><li>Cr\u00e9er un script assembleur permettant d&#8217;ouvrir un shell,<\/li><li>Assembler le code avec la commande nasm (en 32 bits),<\/li><li>R\u00e9cup\u00e9rer les caract\u00e8res hexad\u00e9cimaux de la commande objdump afin de constituer votre shellcode.<\/li><\/ol><p>Sinon, vous pouvez r\u00e9cup\u00e9rer votre shellcode pour Narnia2 et l\u2019adapter pour ce cas !<\/p><p>Enfin, il ne reste plus qu\u2019\u00e0 remplacer les valeurs trouv\u00e9es au cours des \u00e9tapes pr\u00e9c\u00e9dentes (Nombre de NOP et adresse de retour) pour obtenir une injection de ce format l\u00e0 :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-bc35e15 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"bc35e15\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6069545\" data-id=\"6069545\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c4a7762 elementor-widget elementor-widget-code-highlight\" data-id=\"c4a7762\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$(python2 -c 'print(\"\\x90\" * XX + \"shellcode\" + \"\\x90\" * YY + \"adresse\")<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e798a84 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e798a84\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f4325e1\" data-id=\"f4325e1\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-abe9955 elementor-widget elementor-widget-text-editor\" data-id=\"abe9955\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tO\u00f9 <b>XX + YY + longueur du shellcode = longueur d\u00e9termin\u00e9e \u00e0 l\u2019\u00e9tape 1<\/b>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b3b4c02 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b3b4c02\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-8f67ad2\" data-id=\"8f67ad2\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7657fde elementor-widget elementor-widget-heading\" data-id=\"7657fde\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Conclusion<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8388fc4 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8388fc4\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-db3d725\" data-id=\"db3d725\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d054b43 elementor-widget elementor-widget-text-editor\" data-id=\"d054b43\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Si vous aviez bien compris le principe du challenge Narnia2, celui-ci ne devrait pas vous poser de probl\u00e8me.<\/p><p>N&#8217;h\u00e9sitez pas \u00e0 relire les explications donn\u00e9es dans cet article.<\/p><p>Enfin, en ressources, vous trouverez un outil en ligne assez pratique pour vous aider \u00e0 g\u00e9n\u00e9rer vos shellcodes.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-fe55792 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"fe55792\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-72aef0b\" data-id=\"72aef0b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fa9fd38 elementor-widget elementor-widget-heading\" data-id=\"fa9fd38\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Ressources<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b7631b0 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b7631b0\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-89272b8\" data-id=\"89272b8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-85412fd elementor-widget elementor-widget-text-editor\" data-id=\"85412fd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><a href=\"https:\/\/defuse.ca\/online-x86-assembler.htm#disassembly\">defuse.ca (Online Assembler for Shellcode)<\/a><\/p><p><a href=\"https:\/\/mindshield.eu\/index.php\/2023\/02\/06\/narnia-2\/\">Narnia 2 \u2013 MindShield<\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>De retour pour le 4e challenge Narnia ! Le challenge Narnia 4 ressemble \u00e9norm\u00e9ment au challenge Narnia2 vu pr\u00e9c\u00e9demment, il s\u2019agit de la m\u00eame faille de s\u00e9curit\u00e9. Commen\u00e7ons sans plus tarder \u00e0 diss\u00e9quer ce challenge ! D\u00e9couverte Le but de ce challenge est de r\u00e9ussir \u00e0 ex\u00e9cuter un shell gr\u00e2ce au setuid, afin d&#8217;obtenir le&hellip; <br \/> <a class=\"button small blue\" href=\"https:\/\/mindshield.eu\/index.php\/2023\/05\/01\/narnia4\/\">Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[8,10,9],"class_list":["post-588","post","type-post","status-publish","format-standard","hentry","category-narnia_challenges","tag-challenge","tag-exploit","tag-shellcode"],"_links":{"self":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/588","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/comments?post=588"}],"version-history":[{"count":27,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/588\/revisions"}],"predecessor-version":[{"id":856,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/588\/revisions\/856"}],"wp:attachment":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/media?parent=588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/categories?post=588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/tags?post=588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}