1 1 00:00:02,139 --> 00:00:03,560 We're going to being by opening our 2 2 00:00:03,560 --> 00:00:06,320 Colinux machine, and opening our terminal. 3 3 00:00:06,320 --> 00:00:10,153 And there, we're going to ssh into the server. 4 4 00:00:13,097 --> 00:00:17,264 Using our username narnia0@narnia.labs.overthewire.org. 5 5 00:00:20,760 --> 00:00:23,260 Using our password of narnia0. 6 6 00:00:25,019 --> 00:00:26,571 Once we connect, we're going to cd 7 7 00:00:26,571 --> 00:00:29,017 into the narnia directory. 8 8 00:00:29,017 --> 00:00:31,309 Once we've done that, we need to look at the actual 9 9 00:00:31,309 --> 00:00:33,189 program that we're trying to exploit. 10 10 00:00:33,189 --> 00:00:35,106 In our case, narnia0.c. 11 11 00:00:35,970 --> 00:00:40,137 Do do that we're going to end up doing cat narnia0.c. 12 12 00:00:44,040 --> 00:00:48,207 And the program's contents will get shown to our screen. 13 13 00:00:50,919 --> 00:00:54,491 So in this point we can see the actual code itself. 14 14 00:00:54,491 --> 00:00:57,072 We can see it's a C program with our standard IO headers, 15 15 00:00:57,072 --> 00:00:58,750 and our standard IO libraries. 16 16 00:00:58,750 --> 00:01:02,583 Notice the long value there, 0 times 41414141, 17 17 00:01:03,771 --> 00:01:07,451 and our char, our character, our buffer, is 20 characters. 18 18 00:01:07,451 --> 00:01:09,621 So if we put something over 20 characters, 19 19 00:01:09,621 --> 00:01:12,160 we should be able to do a buffer overflow in this case, 20 20 00:01:12,160 --> 00:01:14,658 because it will be greater than what it's expecting. 21 21 00:01:14,658 --> 00:01:18,327 Notice in the program the value equals deadbeef, 22 22 00:01:18,327 --> 00:01:21,649 then it will give us a shell then slash sh. 23 23 00:01:21,649 --> 00:01:23,191 So what we're trying to do is do an overflow 24 24 00:01:23,191 --> 00:01:24,951 and then write into memory 25 25 00:01:24,951 --> 00:01:27,479 the hexadecimal value of deadbeef. 26 26 00:01:27,479 --> 00:01:29,239 So here we're going to execute the program, 27 27 00:01:29,239 --> 00:01:32,156 and we're going to put in an input. 28 28 00:01:33,640 --> 00:01:37,390 In this case I'm going to put a bunch of A's. 29 29 00:01:41,228 --> 00:01:45,395 I'm counting carefully to put 20 A's, and four B's. 30 30 00:01:48,212 --> 00:01:50,681 What happened is I overflowed the buffer with the A's, 31 31 00:01:50,681 --> 00:01:54,361 and so the value got overwritten from 41414141 32 32 00:01:54,361 --> 00:01:58,528 to 42424242, which was the hex representation of those B's. 33 33 00:01:59,531 --> 00:02:02,012 So at this point I'm going to write a short python script 34 34 00:02:02,012 --> 00:02:05,577 that will put 20 A's followed by the hexademical 35 35 00:02:05,577 --> 00:02:09,410 characters that I want, in this case deadbeef. 36 36 00:02:12,969 --> 00:02:15,644 Now I have to put it in a little bit backwards, 37 37 00:02:15,644 --> 00:02:17,313 and that's because of the fact that this machine 38 38 00:02:17,313 --> 00:02:21,692 is using first in first out, or last in first out 39 39 00:02:21,692 --> 00:02:23,932 architecture based on this machine. 40 40 00:02:23,932 --> 00:02:28,099 So in this case I'm going to use the /'ef/'ee/'ad/'ee 41 41 00:02:29,070 --> 00:02:32,797 And then I'm going to pipe that output 42 42 00:02:32,797 --> 00:02:35,740 into the narnia.c program, 43 43 00:02:35,740 --> 00:02:37,240 narnia0.c program. 44 44 00:02:39,018 --> 00:02:41,529 Notice my value has been overwritten with deadbeef 45 45 00:02:41,529 --> 00:02:43,196 just like we wanted. 46 46 00:02:44,839 --> 00:02:46,747 Now notice when I run this python script 47 47 00:02:46,747 --> 00:02:48,145 my value does change, 48 48 00:02:48,145 --> 00:02:50,449 but nothing else happens, I'm just returned to the shell. 49 49 00:02:50,449 --> 00:02:52,339 And that's because I executed the shell. 50 50 00:02:52,339 --> 00:02:53,919 Now what I want to do is have it 51 51 00:02:53,919 --> 00:02:56,689 so that when I execute the shell it does something for me. 52 52 00:02:56,689 --> 00:02:58,599 In this case, I want it to show me 53 53 00:02:58,599 --> 00:03:00,298 what the password is for this stage 54 54 00:03:00,298 --> 00:03:02,419 which allows me going to stage two. 55 55 00:03:02,419 --> 00:03:06,267 The way I'll do that is by using an echo command. 56 56 00:03:06,267 --> 00:03:07,947 And so in this case, I'll use the same python script 57 57 00:03:07,947 --> 00:03:09,769 I used, and then put a semicolon 58 58 00:03:09,769 --> 00:03:13,936 echo'cat/etc/narnia_pass/narnia1 59 59 00:03:16,546 --> 00:03:17,980 Which gives me the code to go into 60 60 00:03:17,980 --> 00:03:21,079 the next level, which would be narnia two's level. 61 61 00:03:21,079 --> 00:03:25,246 Then I do the pipe and run the program of narnia/narnia0 62 62 00:03:27,091 --> 00:03:29,239 as you can see my buffer gets overwritten, 63 63 00:03:29,239 --> 00:03:30,868 deadbeef is written to the value, 64 64 00:03:30,868 --> 00:03:32,817 which then goes to execute the shell, 65 65 00:03:32,817 --> 00:03:34,868 in this case executing my command, 66 66 00:03:34,868 --> 00:03:37,868 the cat of the password for narnia1. 67 67 00:03:39,169 --> 00:03:40,369 And I get the answer to the riddle 68 68 00:03:40,369 --> 00:03:44,536 which was E-F-E-I-E-I-E-D-A-E. 69 69 00:03:45,966 --> 00:03:49,368 If I go now over the wire and use narnia1 as my username, 70 70 00:03:49,368 --> 00:03:54,279 and I use that as my password E-F-E-I-E-I-E-E-A-E 71 71 00:03:54,279 --> 00:03:56,729 I can then go to challenge number two. 72 72 00:03:56,729 --> 00:03:58,137 And that's just a very simple example of how 73 73 00:03:58,137 --> 00:04:00,028 a buffer overflow works. 74 74 00:04:00,028 --> 00:04:04,239 In this case we overrode a 20 character memory allocation, 75 75 00:04:04,239 --> 00:04:06,449 pushing in those last four characters, 76 76 00:04:06,449 --> 00:04:08,497 which ever we put in there, into the memory. 77 77 00:04:08,497 --> 00:04:10,439 In this case matching up the composite overrun 78 78 00:04:10,439 --> 00:04:13,772 to run our n/sh or our shell.