전체 글
[Phoenix] Net zero
1. intro 2. code 및 분석 2.1. C code /* * phoenix/net-zero, by https://exploit.education * * What did the fish say when he swam head first into a wall? * Dam! */ #include #include #include #include #include #include #include #include #define BANNER \ "Welcome to " LEVELNAME ", brought to you by https://exploit.education" int main(int argc, char **argv) { uint32_t i, j; setvbuf(stdout, NULL, _IONBF,..
Continuous free bug (double free bug)
* 서론 솔직히 이건 double free라고 하지말고 continuous free나 heap free unlink bug라던지라고 불러야하는게 맞지 않나? double free는 동일 heap 영역에 대한 free를 이야기해야되는거 아니야? 나만그래...? *원리 - 전제 조건 및 기본 원리 double free bug는 기본적으로 heap overflow를 기본으로 한다. 즉, P flag가 수정 가능해야하기에 heap overflow가 필수적이다. heap 영역은 free 될 때 다음에 사용할 주소를 fd 영역에 저장한다. 더불어 heap 영역이 초기화될 때 heap 영역들 사이에 빈 공간이 있다면 합쳐주며, 이는 unlink 함수를 통해 이루어진다. 이는 heap 영역을 효율적으로 사용하려함에 있..
[Phoenix] Heap three
1. intro 2. code 및 분석 2.1. C code /* * phoenix/heap-three, by https://exploit.education * * This level is linked against ftp://gee.cs.oswego.edu/pub/misc/malloc-2.7.2.c * version 2.7.2, with a SHA1 sum of 407329d164e4989b59b9a828760acb720dc5c7db * more commonly known as "dlmalloc", Doug Lea Malloc * * Can you hijack flow control, and execute winner()? Afterwards, how * about your own code? This ..
[Phoenix] Heap two
1. intro 2. code 및 분석 2.1. C code /* * phoenix/heap-two, by https://exploit.education * * This level examines what can happen when heap pointers are stale. This level * is completed when you see the "you have logged in already!" message. * * My dog would, without fail, always chase people on a bike. As soon as he saw * someone, he would immediately take off. I spoke to the vet to see if they * c..
[Phoenix] Heap one
1. intro 2. code 및 분석 2.1. C code /* * phoenix/heap-zero, by https://exploit.education * * Can you hijack flow control? * * Which vegetable did Noah leave off the Ark? * Leeks */ #include #include #include #include #include #define BANNER \ "Welcome to " LEVELNAME ", brought to you by https://exploit.education" struct heapStructure { int priority; char *name; }; int main(int argc, char **argv) {..
[Phoenix] Heap zero
1. intro 2. code 및 분석 2.1. C code /* * phoenix/heap-zero, by https://exploit.education * * Can you hijack flow control, and execute the winner function? * * Why do C programmers make good Buddhists? * Because they're not object orientated. */ #include #include #include #include #include #define BANNER \ "Welcome to " LEVELNAME ", brought to you by https://exploit.education" struct data { char na..
[Phoenix] Format four
1. intro 2. code 및 분석 2.1. C code /* * phoenix/format-four, by https://exploit.education * * Can you affect code execution? Once you've got congratulations() to * execute, can you then execute your own shell code? * * Did you get a hair cut? * No, I got all of them cut. * */ #include #include #include #include #include #define BANNER \ "Welcome to " LEVELNAME ", brought to you by https://exploit..
[Phoenix] Format three
1. intro 2. code 및 분석 2.1. C code /* * phoenix/format-three, by https://exploit.education * * Can you change the "changeme" variable to a precise value? * * How do you fix a cracked pumpkin? With a pumpkin patch. */ #include #include #include #include #include #define BANNER \ "Welcome to " LEVELNAME ", brought to you by https://exploit.education" int changeme; void bounce(char *str) { printf(st..
9월의 끝자락에 쓰는 일기.
자체평가 : ★★★☆☆ 이번 달은 공부 자체를 거의 못했다. 그래도 목표는 차근차근 진행하고 있다. 다만 실력이 늘지 않는다는 생각이 많이 든다. 딱 집어서 말하자면 응용을 잘 하지 못한다는 것. 많은 문제를 풀어보고 응용력을 기르는 공부를 해야겠다. 올해도 거의 막바지를 향해 달려간다. 내년 목표도 천천히 세워보자. - 1 ~ 12월 : CTF 참여, pwn 1문제라도 풀기. - 1 ~ 12월 : pwnable 문제 만들어보기. (3~4문제) - 1 ~ 6월 : reversing 공부. - 6 ~ 12월 : crypto 공부. 잔여 목표 base : 공부한 즉시 이론들 정리. 8월 : dream hack lecture system hacking & advance clear 9월 ~ 10월 : write..
[Phoenix] Format two
1. intro 2. code 및 분석 2.1. C code /* * phoenix/format-two, by https://exploit.education * * Can you change the "changeme" variable? * * What kind of flower should never be put in a vase? * A cauliflower. */ #include #include #include #include #include #define BANNER \ "Welcome to " LEVELNAME ", brought to you by https://exploit.education" int changeme; void bounce(char *str) { printf(str); } int..