Wargame
[App-system] ELF x86 - Stack buffer overflow - ret2dl_resolve
1. intro 2. code 및 분석 2.1. code code가 제공되지 않고 remote server로 접속해서 푸는 문제이다. 2.2. 분석 다른 문제가 안풀려서 푸는 문제... ㅠㅠ 우선 checksec부터 해봤다. app-systeme-ch77@challenge03:~$ checksec ch77 [*] '/challenge/app-systeme/ch77/ch77' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) 32 bit 파일이다. 소스코드가 제공되지 않기에 바로 gdb로 열어보았더니 app-systeme-ch77@challenge03:~$ gef ch77..
[App system] ELF x64 - Stack buffer overflow - advanced
1. intro 2. code 및 분석 2.1. code #include #include /* gcc -o ch34 ch34.c -fno-stack-protector -Wl,-z,relro,-z,now,-z,noexecstack -static */ int main(int argc, char **argv){ char buffer[256]; int len, i; gets(buffer); len = strlen(buffer); printf("Hex result: "); for (i=0; i pwnlib.shellcraft.amd64 — Shellcode for AMD64 — pwntools 2.2.1 documentation Shellcraft module containing generic Intel x86_..
[App system] ELF x86 - Stack buffer overflow basic 5
1. intro 2. code 및 분석 2.1. code #include #include #include #include #include #include #define BUFFER 512 struct Init { char username[128]; uid_t uid; pid_t pid; }; void cpstr(char *dst, const char *src) { for(; *src; src++, dst++) { *dst = *src; } *dst = 0; } void chomp(char *buff) { for(; *buff; buff++) { if(*buff == '\n' || *buff == '\r' || *buff == '\t') { *buff = 0; break; } } } struct Init ..
[App-system] ELF x86 - Stack buffer and integer overflow
1. intro 2. code 및 분석 2.1. code #include #include #include #include #include #define BUFFER 128 void read_data(char *data, int fd, int size) { while(read(fd, data, 1) == 1 && *data && size) { size--; data++; } } void read_file(int fd) { char path[BUFFER+1] = {0}; int size; if(read(fd, &size, sizeof(int)) != sizeof(int)) { printf("[-] File too short.\n"); exit(0); } if(size >= BUFFER) { printf("[..
[App-system] ELF x86 - Stack buffer overflow - C++ vtables
1. intro 2. code 및 분석 2.1. code #include #include #include #include #include class formatter { public : virtual int RTTI( ) =0 ; virtual void displayName( ) =0 ; virtual void format( const char * ptr ) =0 ; }; class UpperFormatter: public formatter { public : virtual int RTTI( ) { return 1; }; virtual void displayName( ) { printf ("UpperFormatter"); } virtual void format( const char * ptr ) { co..
[Phoenix] Final two
1. intro 2. code 및 분석 2.1. C code /* * phoenix/final-two, by https://exploit.education * * This level is linked against ftp://gee.cs.oswego.edu/pub/misc/malloc.c * version 2.7.2, with a SHA1 sum of 407329d164e4989b59b9a828760acb720dc5c7db * * Can you get a shell via heap corruption? * * A man drives train for a living in Bulgaria. He absolutely loved his job, * and it had been his dream job ever..