{"id":714,"date":"2023-08-01T11:41:02","date_gmt":"2023-08-01T09:41:02","guid":{"rendered":"https:\/\/mindshield.eu\/?p=714"},"modified":"2025-12-17T18:24:26","modified_gmt":"2025-12-17T17:24:26","slug":"narnia7","status":"publish","type":"post","link":"https:\/\/mindshield.eu\/index.php\/2023\/08\/01\/narnia7\/","title":{"rendered":"\ud83e\udd81Narnia 7"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

De retour, non pas pour vous jouer un mauvais tour, mais plut\u00f4t pour vous donner quelques pistes afin de r\u00e9ussir rapidement le challenge Narnia7.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

D\u00e9couverte<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\n\t\t\t\t\t#include \r\n#include \r\n#include \r\n#include \r\n#include \r\n    \r\nint goodfunction();\r\nint hackedfunction();\r\n\r\nint vuln(const char *format){\r\n        char buffer[128];\r\n        int (*ptrf)();\r\n\r\n        memset(buffer, 0, sizeof(buffer));\r\n        printf(\"goodfunction() = %p\\n\", goodfunction);\r\n        printf(\"hackedfunction() = %p\\n\\n\", hackedfunction);\r\n\r\n        ptrf = goodfunction;\r\n        printf(\"before : ptrf() = %p (%p)\\n\", ptrf, &amp;ptrf);\r\n\r\n        printf(\"I guess you want to come to the hackedfunction...\\n\");\r\n        sleep(2);\r\n        ptrf = goodfunction;\r\n\r\n        snprintf(buffer, sizeof buffer, format);\r\n\r\n        return ptrf();\r\n}\r\n\r\nint main(int argc, char **argv){\r\n        if (argc &lt;= 1){\r\n                fprintf(stderr, &quot;Usage: %s \\n&quot;, argv[0]);\r\n                exit(-1);\r\n        }\r\n        exit(vuln(argv[1]));\r\n}\r\n\r\nint goodfunction(){\r\n        printf(&quot;Welcome to the goodfunction, but i said the Hackedfunction..\\n&quot;);\r\n        fflush(stdout);\r\n\r\n        return 0;\r\n}\r\n\r\nint hackedfunction(){\r\n        printf(&quot;Way to go!!!!&quot;);\r\n            fflush(stdout);\r\n        setreuid(geteuid(),geteuid());\r\n        system(&quot;\/bin\/sh&quot;);\r\n\r\n        return 0;\r\n}<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5390734 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5390734\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-718645d\" data-id=\"718645d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-009e295 elementor-widget elementor-widget-text-editor\" data-id=\"009e295\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Vous l\u2019aurez s\u00fbrement compris, pour r\u00e9ussir ce challenge, il faut ex\u00e9cuter la fonction <code>hackedfunction()<\/code>.<\/p><p>Dans le main, il n\u2019y pas de vuln\u00e9rabilit\u00e9 \u00e0 exploiter. Nous pouvons simplement passer un argument.<\/p><p>Cet argument sera ensuite pass\u00e9 \u00e0 la fonction <code>vuln()<\/code>sous le nom de <code>format<\/code>.<\/p><p>Ce param\u00e8tre est utilis\u00e9 uniquement dans le <code>snprintf<\/code>. C\u2019est en effet ici que se trouve la vuln\u00e9rabilit\u00e9 \u00e0 exploiter.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-da2021b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"da2021b\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a4b20cf\" data-id=\"a4b20cf\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ec32573 elementor-widget elementor-widget-heading\" data-id=\"ec32573\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Exploitation<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-aa67098 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"aa67098\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0258088\" data-id=\"0258088\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a6ab67d elementor-widget elementor-widget-text-editor\" data-id=\"a6ab67d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>De la m\u00eame mani\u00e8re que le challenge Narnia5, nous allons utiliser une vuln\u00e9rabilit\u00e9 de type <strong>format string<\/strong>.<\/p><blockquote><p>Pour rappel, les fonctions de la famille de <code>printf<\/code>, comme <code>snprintf<\/code>, ne v\u00e9rifie pas forc\u00e9ment le type de donn\u00e9es qui lui est pass\u00e9, c\u2019est ce qui les rend vuln\u00e9rables.<\/p><\/blockquote><p>Comme vu auparavant et gr\u00e2ce aux guides donn\u00e9es en <strong>Ressources<\/strong>, nous allons utiliser le sp\u00e9cifieur de format <code>%n<\/code> afin d\u2019<strong>\u00e9crire directement sur la pile<\/strong>.<\/p><p>Ainsi, le sp\u00e9cifieur\u00a0<code>%n<\/code> a besoin :<\/p><ul><li>De donn\u00e9es \u00e0 \u00e9crire, dans notre cas, il s\u2019agit de l\u2019adresse de la fonction <code>hackedfunction()<\/code>;<\/li><li>D\u2019une destination pour \u00e9crire les donn\u00e9es, c\u2019est \u00e0 dire \u00e0 l\u2019adresse du pointeur <code>ptrf<\/code>.<\/li><\/ul><p>Heureusement pour nous, ces donn\u00e9es sont affich\u00e9es par le programme \u00e0 chaque fois qu\u2019on le lance.<\/p><blockquote><p><strong>Petit tips<\/strong> : L\u2019adresse de la fonction <code>hackedfunction()<\/code> peut s\u2019\u00e9crire au format <code>\\xff\\xff\\xff\\xff<\/code> mais pas l\u2019adresse du pointeur <code>ptrf<\/code>, qui lui devra \u00eatre interpr\u00e9table par <code>snprintf<\/code> <img decoding=\"async\" class=\"emoji\" role=\"img\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/1f60a.svg\" alt=\"\ud83d\ude0a\" \/><\/p><\/blockquote>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2d3639c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"2d3639c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d794ccb\" data-id=\"d794ccb\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-480641a elementor-widget elementor-widget-heading\" data-id=\"480641a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Conclusion<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-43f29e0 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"43f29e0\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2b41f04\" data-id=\"2b41f04\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6160c69 elementor-widget elementor-widget-text-editor\" data-id=\"6160c69\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Une fois de plus, vous avez toutes les cl\u00e9s en main pour r\u00e9ussir ce nouveau challenge.<\/p><p>La plus grande difficult\u00e9 de ce challenge r\u00e9side dans la compr\u00e9hension du sp\u00e9cifieur %n et du fonctionnement des vuln\u00e9rabilit\u00e9s de type format string.<\/p><p>On se retrouve dans un mois pour le dernier challenge de cette s\u00e9rie !<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0f17c92 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"0f17c92\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-8886f3c\" data-id=\"8886f3c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e940f30 elementor-widget elementor-widget-heading\" data-id=\"e940f30\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Ressources<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-21f78e5 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"21f78e5\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f61c287\" data-id=\"f61c287\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a276a8a elementor-widget elementor-widget-text-editor\" data-id=\"a276a8a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><a href=\"https:\/\/owasp.org\/www-community\/attacks\/Format_string_attack\">Format string attack | OWASP Foundation<\/a><\/p><p><a href=\"https:\/\/medium.com\/@gurdeeps158\/exploit-format-string-vulnerability-in-printf-6740d9ff057e\">Exploit format String vulnerability in printf() | by GURDEEP SINGH | Medium<\/a><\/p><p><a href=\"https:\/\/cs155.stanford.edu\/papers\/formatstring-1.2.pdf\">formatstring-1.2.pdf (stanford.edu)<\/a><\/p><p><a href=\"https:\/\/www.exploit-db.com\/docs\/english\/28476-linux-format-string-exploitation.pdf\">Format Strings Exploitation Tutorial (exploit-db.com)<\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>De retour, non pas pour vous jouer un mauvais tour, mais plut\u00f4t pour vous donner quelques pistes afin de r\u00e9ussir rapidement le challenge Narnia7. D\u00e9couverte #include #include #include #include #include int goodfunction(); int hackedfunction(); int vuln(const char *format){ char buffer[128]; int (*ptrf)(); memset(buffer, 0, sizeof(buffer)); printf(&#8220;goodfunction() = %pn&#8221;, goodfunction); printf(&#8220;hackedfunction() = %pnn&#8221;, hackedfunction); ptrf =&hellip; <br \/> <a class=\"button small blue\" href=\"https:\/\/mindshield.eu\/index.php\/2023\/08\/01\/narnia7\/\">Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[8,10,11],"class_list":["post-714","post","type-post","status-publish","format-standard","hentry","category-narnia_challenges","tag-challenge","tag-exploit","tag-formatstring"],"_links":{"self":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/714","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/comments?post=714"}],"version-history":[{"count":21,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/714\/revisions"}],"predecessor-version":[{"id":918,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/714\/revisions\/918"}],"wp:attachment":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/media?parent=714"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/categories?post=714"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/tags?post=714"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}