Wargame
iofile_aw
1. intro 2. code 및 분석 2.1 code // gcc -o iofile_aw iofile_aw.c -fno-stack-protector -Wl,-z,relro,-z,now #include #include #include #include #include char buf[80]; int size = 512; void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(60); } void read_str() { fgets(buf, sizeo..
Bypass IO_validate_vtable
1. intro 2. code 및 분석 2.1 code // Name: bypass_valid_vtable // gcc -o bypass_valid_vtable bypass_valid_vtable.c -no-pie #include #include FILE *fp; void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int main() { init(); fp = fopen("/dev/urandom", "r"); printf("stdout: %p\n", stdout); printf("Data: "); read(0, fp, 300); fclose(fp); } 2.2 분석 main 함수 내에서 /dev/urandom 파일을 읽기 권한으로 연 뒤..
_IO_FILE Arbitrary Address Write
1. intro 2. code 및 분석 2.1 code // Name: iofile_aaw // gcc -o iofile_aaw iofile_aaw.c -no-pie #include #include #include char flag_buf[1024]; int overwrite_me; void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int read_flag() { FILE *fp; fp = fopen("/home/iofile_aaw/flag", "r"); fread(flag_buf, sizeof(char), sizeof(flag_buf), fp); write(1, flag_buf, sizeof(flag_buf)); fclose(fp);..
_IO_FILE Arbitrary Address Read
1. intro 2. code 및 분석 2.1 code // Name: iofile_aar // gcc -o iofile_aar iofile_aar.c -no-pie #include #include #include char flag_buf[1024]; FILE *fp; void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int read_flag() { FILE *fp; fp = fopen("/home/iofile_aar/flag", "r"); fread(flag_buf, sizeof(char), sizeof(flag_buf), fp); fclose(fp); } int main() { const char *data = "TEST FILE!..