Wargame/Exploit Education

[Phoenix] Final two

1. intro 2. code 및 분석 2.1. C code /* * phoenix/final-two, by https://exploit.education * * This level is linked against ftp://gee.cs.oswego.edu/pub/misc/malloc.c * version 2.7.2, with a SHA1 sum of 407329d164e4989b59b9a828760acb720dc5c7db * * Can you get a shell via heap corruption? * * A man drives train for a living in Bulgaria. He absolutely loved his job, * and it had been his dream job ever..

[Phoenix] Final zero

1. intro 2. code 및 분석 2.1. C code /* * phoenix/final-zero, by https://exploit.education * * The aim is to change the contents of the changeme variable. * * A woman has twins and gives them up for adoption. * * One of them goes to a family in Egypt and is named Amal. The other goes to a * family in Spain. They name him Juan. * * Years later, Juan sends a picture of himself to his birth mother. Up..

[Phoenix] Net two

1. intro 2. code 및 분석 2.1. C code /* * phoenix/net-two, by https://exploit.education * * Shout out to anyone who doesn't know what the opposite of in is. * */ #include #include #include #include #include #include #include #define BANNER \ "Welcome to " LEVELNAME ", brought to you by https://exploit.education" int main(int argc, char **argv) { int i; unsigned long quad[sizeof(long)], result, want..

[Phoenix] Net one

1. intro 2. code 및 분석 2.1. C code /* * phoenix/net-one, by https://exploit.education * * Why aren't octal jokes funny? * Because 7 10 11 */ #include #include #include #include #include #include #include #include #define BANNER \ "Welcome to " LEVELNAME ", brought to you by https://exploit.education" int main(int argc, char **argv) { uint32_t i; char buf[12], fub[12], *q; setvbuf(stdout, NULL, _I..

[Phoenix] Net zero

1. intro 2. code 및 분석 2.1. C code /* * phoenix/net-zero, by https://exploit.education * * What did the fish say when he swam head first into a wall? * Dam! */ #include #include #include #include #include #include #include #include #define BANNER \ "Welcome to " LEVELNAME ", brought to you by https://exploit.education" int main(int argc, char **argv) { uint32_t i, j; setvbuf(stdout, NULL, _IONBF,..

[Phoenix] Heap three

1. intro 2. code 및 분석 2.1. C code /* * phoenix/heap-three, by https://exploit.education * * This level is linked against ftp://gee.cs.oswego.edu/pub/misc/malloc-2.7.2.c * version 2.7.2, with a SHA1 sum of 407329d164e4989b59b9a828760acb720dc5c7db * more commonly known as "dlmalloc", Doug Lea Malloc * * Can you hijack flow control, and execute winner()? Afterwards, how * about your own code? This ..

[Phoenix] Heap two

1. intro 2. code 및 분석 2.1. C code /* * phoenix/heap-two, by https://exploit.education * * This level examines what can happen when heap pointers are stale. This level * is completed when you see the "you have logged in already!" message. * * My dog would, without fail, always chase people on a bike. As soon as he saw * someone, he would immediately take off. I spoke to the vet to see if they * c..

[Phoenix] Heap one

1. intro 2. code 및 분석 2.1. C code /* * phoenix/heap-zero, by https://exploit.education * * Can you hijack flow control? * * Which vegetable did Noah leave off the Ark? * Leeks */ #include #include #include #include #include #define BANNER \ "Welcome to " LEVELNAME ", brought to you by https://exploit.education" struct heapStructure { int priority; char *name; }; int main(int argc, char **argv) {..

[Phoenix] Heap zero

1. intro 2. code 및 분석 2.1. C code /* * phoenix/heap-zero, by https://exploit.education * * Can you hijack flow control, and execute the winner function? * * Why do C programmers make good Buddhists? * Because they're not object orientated. */ #include #include #include #include #include #define BANNER \ "Welcome to " LEVELNAME ", brought to you by https://exploit.education" struct data { char na..

[Phoenix] Format four

1. intro 2. code 및 분석 2.1. C code /* * phoenix/format-four, by https://exploit.education * * Can you affect code execution? Once you've got congratulations() to * execute, can you then execute your own shell code? * * Did you get a hair cut? * No, I got all of them cut. * */ #include #include #include #include #include #define BANNER \ "Welcome to " LEVELNAME ", brought to you by https://exploit..