Wargame/Dreamhack
iofile_aw
1. intro 2. code 및 분석 2.1 code // gcc -o iofile_aw iofile_aw.c -fno-stack-protector -Wl,-z,relro,-z,now #include #include #include #include #include char buf[80]; int size = 512; void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(60); } void read_str() { fgets(buf, sizeo..
Bypass IO_validate_vtable
1. intro 2. code 및 분석 2.1 code // Name: bypass_valid_vtable // gcc -o bypass_valid_vtable bypass_valid_vtable.c -no-pie #include #include FILE *fp; void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int main() { init(); fp = fopen("/dev/urandom", "r"); printf("stdout: %p\n", stdout); printf("Data: "); read(0, fp, 300); fclose(fp); } 2.2 분석 main 함수 내에서 /dev/urandom 파일을 읽기 권한으로 연 뒤..
_IO_FILE Arbitrary Address Write
1. intro 2. code 및 분석 2.1 code // Name: iofile_aaw // gcc -o iofile_aaw iofile_aaw.c -no-pie #include #include #include char flag_buf[1024]; int overwrite_me; void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int read_flag() { FILE *fp; fp = fopen("/home/iofile_aaw/flag", "r"); fread(flag_buf, sizeof(char), sizeof(flag_buf), fp); write(1, flag_buf, sizeof(flag_buf)); fclose(fp);..
_IO_FILE Arbitrary Address Read
1. intro 2. code 및 분석 2.1 code // Name: iofile_aar // gcc -o iofile_aar iofile_aar.c -no-pie #include #include #include char flag_buf[1024]; FILE *fp; void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int read_flag() { FILE *fp; fp = fopen("/home/iofile_aar/flag", "r"); fread(flag_buf, sizeof(char), sizeof(flag_buf), fp); fclose(fp); } int main() { const char *data = "TEST FILE!..
send_sig
1. intro 2. code 및 분석 2.1 code 이번 문제는 코드가 별도로 제공되지 않고, 문제 파일과 dockerfile만 제공된다. 그래서 IDA로 디스어셈블 해보았다. void __noreturn start() { setvbuf(stdout, 0LL, 2, 0LL); setvbuf(stdin, 0LL, 1, 0LL); write(1, "++++++++++++++++++Welcome to dreamhack++++++++++++++++++\n", 0x39uLL); write(1, "+ You can send a signal to dreamhack server. +\n", 0x39uLL); write(1, "++++++++++++++++++++++++++++++++++++++++++++++++++..
SigReturn-Oriented Programming
1. intro 2. code 및 분석 2.1 code // Name: srop.c // Compile: gcc -o srop srop.c -fno-stack-protector -no-pie #include int gadget() { asm("pop %rax;" "syscall;" "ret" ); } int main() { char buf[16]; read(0, buf ,1024); } ┌──(kali㉿kali)-[~/Downloads] └─$ checksec srop [*] '/home/kali/Downloads/srop' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x40000..
rtld
1. intro 2. code 및 분석 2.1 code // gcc -o rtld rtld.c -fPIC -pie #include #include #include #include #include void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(60); } void get_shell() { system("/bin/sh"); } int main() { long addr; long value; initialize(); printf("stdout..