{"id":676,"date":"2023-07-01T11:44:12","date_gmt":"2023-07-01T09:44:12","guid":{"rendered":"https:\/\/mindshield.eu\/?p=676"},"modified":"2025-12-17T18:23:09","modified_gmt":"2025-12-17T17:23:09","slug":"narnia6","status":"publish","type":"post","link":"https:\/\/mindshield.eu\/index.php\/2023\/07\/01\/narnia6\/","title":{"rendered":"\ud83e\udd81Narnia 6"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"676\" class=\"elementor elementor-676\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8fbad28 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8fbad28\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c021258\" data-id=\"c021258\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a1ac6fd elementor-widget elementor-widget-text-editor\" data-id=\"a1ac6fd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Un nouveau challenge Narnia \u00e0 r\u00e9soudre et pas des moindres ! Celui-ci aborde un tout autre type de BufferOverFlow : le <b>return-to-libc<\/b>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6db1c98 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6db1c98\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d0c9c0c\" data-id=\"d0c9c0c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4ece43c elementor-widget elementor-widget-heading\" data-id=\"4ece43c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">D\u00e9couverte<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c1f04d2 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c1f04d2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-815b1d4\" data-id=\"815b1d4\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6a130f3 elementor-widget elementor-widget-code-highlight\" data-id=\"6a130f3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>#include \r\n#include \r\n#include \r\n\r\nextern char **environ;\r\n\r\n\/\/ tired of fixing values...\r\n\/\/ - morla\r\n\r\nunsigned long get_sp(void) {\r\n       __asm__(\"movl %esp,%eax\\n\\t\"\r\n               \"and $0xff000000, %eax\"\r\n               );\r\n}\r\n\r\nint main(int argc, char *argv[]){\r\n        char b1[8], b2[8];\r\n        int  (*fp)(char *)=(int(*)(char *))&amp;puts, i;\r\n\r\n        if(argc!=3){ printf(\"%s b1 b2\\n\", argv[0]); exit(-1); }\r\n\r\n        \/* clear environ *\/\r\n        for(i=0; environ[i] != NULL; i++)\r\n                memset(environ[i], '\\0', strlen(environ[i]));\r\n        \/* clear argz    *\/\r\n        for(i=3; argv[i] != NULL; i++)\r\n                memset(argv[i], '\\0', strlen(argv[i]));\r\n\r\n        strcpy(b1,argv[1]);\r\n        strcpy(b2,argv[2]);\r\n        \/\/if(((unsigned long)fp &amp; 0xff000000) == 0xff000000)\r\n        if(((unsigned long)fp &amp; 0xff000000) == get_sp())\r\n                exit(-1);\r\n        setreuid(geteuid(),geteuid());\r\n    fp(b1);\r\n\r\n        exit(1);\r\n}<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a657d7e elementor-widget elementor-widget-text-editor\" data-id=\"a657d7e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Ce challenge peut para\u00eetre complexe au d\u00e9but, c&#8217;est pour cela que je vais commencer par l&#8217;expliquer par petits bouts.<\/p><p>Tout d&#8217;abord, la fonction get_sp. Cette commande permet de prendre la premi\u00e8re valeur de la pile et de la stocker dans eax.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4bb0d88 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4bb0d88\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-90e3796\" data-id=\"90e3796\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-efd5dce elementor-widget elementor-widget-code-highlight\" data-id=\"efd5dce\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>unsigned long get_sp(void) {\r\n       __asm__(\"movl %esp,%eax\\n\\t\"\r\n               \"and $0xff000000, %eax\"\r\n               );\r\n}<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0dbb503 elementor-widget elementor-widget-text-editor\" data-id=\"0dbb503\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Une op\u00e9ration &amp; est ensuite effectu\u00e9 entre eax et 0xff00000.<\/p><p>Cela sert \u00e0 v\u00e9rifier que eax commence bien par 0xff. Si c&#8217;est le cas, l&#8217;op\u00e9ration &amp; sera \u00e9gale \u00e0 0.\u00a0<\/p><p>Ainsi get_sp() permet de v\u00e9rifier que le premier \u00e9l\u00e9ment de la pile commence bien par 0xff.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d370456 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d370456\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-bf6a80d\" data-id=\"bf6a80d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-0e52e62 elementor-widget elementor-widget-text-editor\" data-id=\"0e52e62\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Passons au main.<\/p><p>Plusieurs variables sont d\u00e9clar\u00e9es d\u00e8s le d\u00e9but :<\/p><ul><li>b1 et b2, deux tableaux de char de 8 caract\u00e8res,<\/li><li>fp, qui contient l&#8217;adresse de la fonction puts<\/li><li>i, un entier.<\/li><\/ul><p>fp est effectivement un pointeur de fonction. Une fois appel\u00e9, il aura le m\u00eame comportement que la fonction puts.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6fb50ac elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6fb50ac\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-76034e2\" data-id=\"76034e2\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a0da802 elementor-widget elementor-widget-code-highlight\" data-id=\"a0da802\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>char b1[8], b2[8];\nint  (*fp)(char *)=(int(*)(char *))&amp;puts, i;<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8739052 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8739052\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a4973ac\" data-id=\"a4973ac\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fbf1fe6 elementor-widget elementor-widget-text-editor\" data-id=\"fbf1fe6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Ensuite, une premi\u00e8re condition v\u00e9rifie que le <strong>nombre d&#8217;arguments est bien \u00e9gal \u00e0 3<\/strong>, c&#8217;est-\u00e0-dire :\u00a0<\/p><ol><li>Le nom du script (.\/narnia6),<\/li><li>La valeur de b1,\u00a0<\/li><li>La valeur de b2.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a92968a elementor-widget elementor-widget-code-highlight\" data-id=\"a92968a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>if(argc!=3){ printf(\"%s b1 b2\\n\", argv[0]); exit(-1); }\r\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ffc9b5f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ffc9b5f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-92eeb38\" data-id=\"92eeb38\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f10b50a elementor-widget elementor-widget-text-editor\" data-id=\"f10b50a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Pour continuer, la premi\u00e8re boucle sert \u00e0 &#8220;nettoyer&#8221; la variable ext\u00e9rieure nomm\u00e9e environ. Elle semble \u00eatre un tableau de pointeurs de char.\u00a0<\/p><p>A la fin de la boucle, environ sera <strong>enti\u00e8rement vide<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f030e96 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f030e96\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-9713132\" data-id=\"9713132\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-284dfe7 elementor-widget elementor-widget-code-highlight\" data-id=\"284dfe7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp> \/* clear environ *\/\r\n        for(i=0; environ[i] != NULL; i++)\r\n                memset(environ[i], '\\0', strlen(environ[i]));<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e6512ad elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e6512ad\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f969e89\" data-id=\"f969e89\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4859b74 elementor-widget elementor-widget-text-editor\" data-id=\"4859b74\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Puis, la seconde boucle sert \u00e0 supprimer tout argument suppl\u00e9mentaire.\u00a0<br \/>Si vous tentez de passer un 4e argument, il sera remis \u00e0 0.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c5d07f8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c5d07f8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c5bb7c9\" data-id=\"c5bb7c9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ee13c04 elementor-widget elementor-widget-code-highlight\" data-id=\"ee13c04\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>\/* clear argz    *\/\r\nfor(i=3; argv[i] != NULL; i++)\r\n    memset(argv[i], '\\0', strlen(argv[i]));<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-fa10c74 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"fa10c74\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a8664ed\" data-id=\"a8664ed\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d91f609 elementor-widget elementor-widget-text-editor\" data-id=\"d91f609\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Ensuite, les arguments <strong>argv[1]<\/strong> et <strong>argv[2]<\/strong> que nous avions pass\u00e9 \u00e0 la fonction, sont respectivement copi\u00e9s dans les variables<strong> b1<\/strong> et <strong>b2<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b42a408 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b42a408\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-850f858\" data-id=\"850f858\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b4859a3 elementor-widget elementor-widget-text-editor\" data-id=\"b4859a3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>La derni\u00e8re boucle, apr\u00e8s la copie, permet de v\u00e9rifier que le pointeur de fonction fp pointe bien sur la pile (adresse commen\u00e7ant par 0xff). Si ce n&#8217;est pas le cas le programme s&#8217;arr\u00eate.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-76c4987 elementor-widget elementor-widget-code-highlight\" data-id=\"76c4987\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>strcpy(b1,argv[1]);\r\nstrcpy(b2,argv[2]);<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4766205 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4766205\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a94da4b\" data-id=\"a94da4b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-dc88663 elementor-widget elementor-widget-code-highlight\" data-id=\"dc88663\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp> if(((unsigned long)fp &amp; 0xff000000) == get_sp())\r\n    exit(-1);<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-baf3941 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"baf3941\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-55b17d9\" data-id=\"55b17d9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-418ef9f elementor-widget elementor-widget-text-editor\" data-id=\"418ef9f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Puis, le setreuid est ex\u00e9cut\u00e9 afin de s&#8217;\u00e9lever en privil\u00e8ges.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-284dad8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"284dad8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7a9db22\" data-id=\"7a9db22\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f895aba elementor-widget elementor-widget-code-highlight\" data-id=\"f895aba\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>setreuid(geteuid(),geteuid());<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-59f3f68 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"59f3f68\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-da11ec6\" data-id=\"da11ec6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-398696d elementor-widget elementor-widget-text-editor\" data-id=\"398696d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Enfin, la commande fp s&#8217;ex\u00e9cute et le programme s&#8217;arr\u00eate.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9a1c02d elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9a1c02d\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3cdc6a8\" data-id=\"3cdc6a8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-acbd3d2 elementor-widget elementor-widget-code-highlight\" data-id=\"acbd3d2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp> fp(b1);\n exit(1);<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-505957d elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"505957d\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-45c360a\" data-id=\"45c360a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a21f164 elementor-widget elementor-widget-text-editor\" data-id=\"a21f164\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Maintenant que nous comprenons un peu mieux le programme, nous pouvons l&#8217;exploiter.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e643909 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e643909\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0104d68\" data-id=\"0104d68\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d860f96 elementor-widget elementor-widget-heading\" data-id=\"d860f96\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Exploitation<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0cd459f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"0cd459f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ffa7345\" data-id=\"ffa7345\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6647eb5 elementor-widget elementor-widget-text-editor\" data-id=\"6647eb5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Vous commencez \u00e0 a voir l&#8217;habitude, l&#8217;une des principales failles de ce script est qu&#8217;il utilise la fonction strcpy.<\/p><blockquote><p>Pour rappel, il s&#8217;agit d&#8217;une expression vuln\u00e9rable puisqu&#8217;elle ne v\u00e9rifie pas l&#8217;emplacement o\u00f9 elle copie la donn\u00e9e, ni la quantit\u00e9, ce qui permet de faire des overflow.<\/p><\/blockquote><p>Etant donn\u00e9 que le script s&#8217;\u00e9l\u00e8ve d\u00e9j\u00e0 lui-m\u00eame en privil\u00e8ges, il <b>ne manque que l&#8217;ex\u00e9cution d&#8217;un shell<\/b>.\u00a0<\/p><p>En faisant un overflow sur <b>b1<\/b> ou <b>b2<\/b>, nous pourrions \u00e9crire sur <b>fp<\/b>. Si <b>fp<\/b> pointe sur la fonction <code>puts<\/code>, nous pourrions le faire pointer sur une autre fonction qui nous permettrait d&#8217;ex\u00e9cuter \/<code>bin\/sh <\/code> !<\/p><blockquote><p><strong>Une petite subtilit\u00e9 \u00e0 savoir<\/strong> : les variables b1 et b2 sont d\u00e9clar\u00e9es en m\u00eame temps (sur la m\u00eame ligne), mais c&#8217;est pourtant b2 qui sera stock\u00e9 en premier sur la pile. La pile ressemble donc \u00e0 ceci :<\/p><ol><li>fp<\/li><li>b1<\/li><li>b2<\/li><\/ol><\/blockquote><p><strong>Ainsi, en faisant un overflow sur b1, on \u00e9crit sur fp ; et en faisant un overflow sur b2, on \u00e9crit sur b1<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-df24bce elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"df24bce\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ad55004\" data-id=\"ad55004\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-70c1a9e elementor-widget elementor-widget-heading\" data-id=\"70c1a9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Qui doit contenir quoi ?<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-21c512d elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"21c512d\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ecc9937\" data-id=\"ecc9937\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-eca0543 elementor-widget elementor-widget-text-editor\" data-id=\"eca0543\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Pour r\u00e9ussir ce challenge, vous allez donc devoir faire 2 BufferOverFlow :<\/p><ul><li>Le premier sur b1 pour \u00e9crire une nouvelle adresse de fonction sur fp ; <span style=\"font-size: 18px;color: var( --e-global-color-text );font-family: var( --e-global-typography-text-font-family ), Sans-serif;font-weight: var( --e-global-typography-text-font-weight )\">\u00a0<\/span><\/li><li>Le second sur b2 pour \u00e9crire <code>\/bin\/sh<\/code> sur b1.<\/li><\/ul><p>En effet, on ne peut pas \u00e9crire directement <code>\/bin\/sh<\/code> sur b1 \u00e9tant donn\u00e9 que toutes les chaines de caract\u00e8res contiennent le caract\u00e8re null (&#8216;<code>\\0<\/code>&#8216;) en fin de chaine. Cela emp\u00eacherait la lecture de la suite de l&#8217;injection.<\/p><p>Notre injection sera donc de la forme :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-29421d2 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"29421d2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e4bf60a\" data-id=\"e4bf60a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b1ee520 elementor-widget elementor-widget-code-highlight\" data-id=\"b1ee520\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>.\/narnia6 $(python2 -c 'print(\"\\90\"*X + )') $(python2 -c 'print(\"\\90\"*X + \"\/bin\/sh\")')<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5e095b4 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5e095b4\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-48b6741\" data-id=\"48b6741\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6d641ba elementor-widget elementor-widget-text-editor\" data-id=\"6d641ba\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>O\u00f9 X reste \u00e0 d\u00e9terminer pour que l&#8217;adresse et le <code>\/bin\/sh<\/code> tombent au bon endroit et o\u00f9 l&#8217;adresse de la fonction est \u00e0 trouver.<\/p><p>D&#8217;ailleurs, quelle fonction devons nous utiliser ?<br \/><br \/><\/p><p>Il suffit de trouver une fonction C capable d&#8217;ex\u00e9cuter une commande Linux. Je vous laisse chercher cette fonction de votre c\u00f4t\u00e9, je suis s\u00fbre que vous la trouverez sans aide <img decoding=\"async\" class=\"emoji\" role=\"img\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/1f609.svg\" alt=\"\ud83d\ude09\" \/>.<br \/><br \/><\/p><p>Par contre, je vous donne un coup de pouce pour trouver son adresse :<\/p><p>Pour cela, nous aurons besoin de peda, d\u00e9j\u00e0 utiliser au cours des pr\u00e9c\u00e9dents challenges.<br \/><br \/><\/p><p>Pour commencer, placer un breakpoint sur le main, peu importe son emplacement :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4199cc4 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4199cc4\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ca5313b\" data-id=\"ca5313b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-958e1af elementor-widget elementor-widget-code-highlight\" data-id=\"958e1af\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>b main<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-944fe82 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"944fe82\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6f5eabb\" data-id=\"6f5eabb\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b49807c elementor-widget elementor-widget-text-editor\" data-id=\"b49807c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Lancer le programme :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9e99e38 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9e99e38\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-abedd90\" data-id=\"abedd90\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-dfca40b elementor-widget elementor-widget-code-highlight\" data-id=\"dfca40b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>run<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-18e626d elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"18e626d\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-bd7e4a7\" data-id=\"bd7e4a7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-770f8cf elementor-widget elementor-widget-text-editor\" data-id=\"770f8cf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Afficher l&#8217;adresse de la fonction concern\u00e9e (par exemple ici avec la fonction puts) :\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-761701a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"761701a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0f18af7\" data-id=\"0f18af7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a4e803c elementor-widget elementor-widget-code-highlight\" data-id=\"a4e803c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>p puts #p = print\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f0be8ed elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f0be8ed\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3133b66\" data-id=\"3133b66\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e63e5d9 elementor-widget elementor-widget-text-editor\" data-id=\"e63e5d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tCette technique fonctionne car l&#8217;ASLR est d\u00e9sactiv\u00e9, les fonctions n&#8217;ont pas d&#8217;adresses al\u00e9atoires. <\/br><\/br>\n\nAjoutez cette adresse \u00e0 votre injection.<\/br><\/br>\n\nIl ne reste plus qu&#8217;\u00e0 trouver le bon nombre de <code>\\x90<\/code> et le challenge est \u00e0 vous !\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-53762f9 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"53762f9\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1446071\" data-id=\"1446071\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e4c8f61 elementor-widget elementor-widget-heading\" data-id=\"e4c8f61\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Conclusion<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-80586d8 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"80586d8\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0582a0c\" data-id=\"0582a0c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f734cd3 elementor-widget elementor-widget-text-editor\" data-id=\"f734cd3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Pourquoi ce challenge s&#8217;appelle return to libc? En fait, dans certains cas il est difficile d&#8217;injecter un shell entier ou de retrouver des adresses du binaires, mais le develloppeur a charger la librairie C (ce qui est tr\u00e8s pratique quand on fait du C, il faut l&#8217;avouer), toutes les fonction de cette librairie charg\u00e9s et seront accessible pour un attaquant, ce qui peut \u00eatre tr\u00e8s pratique.\u00a0<\/p><p>Personnellement, j&#8217;ai trouv\u00e9 ce challenge tr\u00e8s int\u00e9ressant. Selon moi, la plus grande difficult\u00e9 r\u00e9side dans la compr\u00e9hension du programme. Une fois appr\u00e9hend\u00e9, la solution est assez intuitive \u00e0 trouver <img decoding=\"async\" class=\"emoji\" role=\"img\" draggable=\"false\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/17.0.2\/svg\/1f60a.svg\" alt=\"\ud83d\ude0a\" \/><\/p><p>A bient\u00f4t pour la suite !<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Un nouveau challenge Narnia \u00e0 r\u00e9soudre et pas des moindres ! Celui-ci aborde un tout autre type de BufferOverFlow : le return-to-libc. D\u00e9couverte #include #include #include extern char **environ; \/\/ tired of fixing values&#8230; \/\/ &#8211; morla unsigned long get_sp(void) { __asm__(&#8220;movl %esp,%eaxnt&#8221; &#8220;and $0xff000000, %eax&#8221; ); } int main(int argc, char *argv[]){ char b1[8],&hellip; <br \/> <a class=\"button small blue\" href=\"https:\/\/mindshield.eu\/index.php\/2023\/07\/01\/narnia6\/\">Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[8,10],"class_list":["post-676","post","type-post","status-publish","format-standard","hentry","category-narnia_challenges","tag-challenge","tag-exploit"],"_links":{"self":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/676","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/comments?post=676"}],"version-history":[{"count":43,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/676\/revisions"}],"predecessor-version":[{"id":915,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/676\/revisions\/915"}],"wp:attachment":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/media?parent=676"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/categories?post=676"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/tags?post=676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}