Wargame

    Wargame/Root me

    [App-Script] Bash - System 1

    1. intro 2. code 및 분석 2.1. code #include #include #include int main(void) { setreuid(geteuid(), geteuid()); system("ls /challenge/app-script/ch11/.passwd"); return 0; } 2.2. 분석 ㅁㄴㅇㄹ 3. 취약점 확인 및 공격 준비 3.1. 취약점 ㅁㄴㅇㄹ 3.2. 공격 준비 ㅁㄴㅇㄹ 4. exploit ㅁㄴㅇㄹ system 문제 풀다가 format string bug 3에서 막혀서 푸는 다른 문제... ㅠㅠ script 문제는 hackerschool의 ftz 느낌이 많이 난다. 코드에서 보듯이 ls로 .passwd 파일을 실행시키는데, 간단히 ls 명령어가 cat 명령어를 실행시..

    Wargame/Root me

    [App-System] ELF x86 - Format String Bug Basic 3

    1. intro 2. code 및 분석 2.1. code #include #include #include #include int main(int argc, char ** argv) { // char log_file = "/var/log/bin_error.log"; char outbuf[512]; char buffer[512]; char user[12]; char *username = "root-me"; // FILE *fp_log = fopen(log_file, "a"); printf("Username: "); fgets(user, sizeof(user), stdin); user[strlen(user) - 1] = '\0'; if (strcmp(user, username)) { sprintf (buffe..

    Wargame/Root me

    [App-System] ELF x86 - Stack buffer overflow basic 6

    1. intro 2. code 및 분석 2.1. code #include #include #include #include int main (int argc, char ** argv){ char message[20]; if (argc != 2){ printf ("Usage: %s \n", argv[0]); return -1; } setreuid(geteuid(), geteuid()); strcpy (message, argv[1]); printf ("Your message: %s\n", message); return 0; } 2.2. 분석 argv[1]을 message 변수에 복사하고 이를 출력한다. 3. 취약점 확인 및 공격 준비 3.1. 취약점 argv[1]의 크기를 체크하지 않아 overflow가 발생..

    Wargame/Root me

    [App-System] ELF x86 - Stack buffer overflow basic 4

    1. intro 2. code 및 분석 2.1. code #include #include #include #include struct EnvInfo { char home[128]; char username[128]; char shell[128]; char path[128]; }; struct EnvInfo GetEnv(void) { struct EnvInfo env; char *ptr; if((ptr = getenv("HOME")) == NULL) { printf("[-] Can't find HOME.\n"); exit(0); } strcpy(env.home, ptr); if((ptr = getenv("USERNAME")) == NULL) { printf("[-] Can't find USERNAME.\n..

    Wargame/Root me

    [App-System] ELF x64 - Double free

    1. intro 2. code 및 분석 2.1. code #include #include #include #include struct Zombie { int hp; void (*hurt)(); void (*eatBody)(); void (*attack)(); int living; }; struct Human { int hp; void (*fire)(int); void (*prayChuckToGiveAMiracle)(); void (*suicide)(); int living; }; struct Zombie *zombies[3]; struct Human *human = NULL; void fire(int zombieIndex) { struct Zombie *zombie = zombies[zombieIndex..

    Wargame/Root me

    [App-System] ELF x64 - Stack buffer overflow - PIE

    1. intro 2. code 및 분석 2.1. code #include #include // Instructions // // gcc -o chall chall.c -Wl,-z,norelro -fno-stack-protector (on the app-systeme-ch61 server for instance, but the goal is to enable NX and PIE) void Winner() { printf("Access granted!\n"); FILE *fp; int c; fp = fopen(".passwd", "r"); if (fp == NULL) { perror("Error while opening the file.\n"); exit(EXIT_FAILURE); } else { print..

    Wargame/Root me

    [App-System] ELF x86 - BSS buffer overflow

    1. intro 2. code 및 분석 2.1. code #include #include char username[512] = {1}; void (*_atexit)(int) = exit; void cp_username(char *name, const char *arg) { while((*(name++) = *(arg++))); *name = 0; } int main(int argc, char **argv) { if(argc != 2) { printf("[-] Usage : %s \n", argv[0]); exit(0); } cp_username(username, argv[1]); printf("[+] Running program with username : %s\n", username); _atexit(..

    Wargame/Root me

    [App-System] ELF x86 - Use After Free - basic

    1. intro 2. code 및 분석 2.1. code #include #include #include #include #define BUFLEN 64 struct Dog { char name[12]; void (*bark)(); void (*bringBackTheFlag)(); void (*death)(struct Dog*); }; struct DogHouse{ char address[16]; char name[8]; }; int eraseNl(char* line){ for(;*line != '\n'; line++); *line = 0; return 0; } void bark(){ int i; for(i = 3; i > 0; i--){ puts("UAF!!!"); sleep(1); } } void b..

    Wargame/Root me

    [App-System] ELF x86 - Stack buffer overflow basic 3

    1. intro 2. code 및 분석 2.1. code #include #include #include #include #include void shell(void); int main() { char buffer[64]; int check; int i = 0; int count = 0; printf("Enter your name: "); fflush(stdout); while(1) { if(count >= 64) printf("Oh no...Sorry !\n"); if(check == 0xbffffabc) shell(); else { read(fileno(stdin),&i,1); switch(i) { case '\n': printf("\a"); break; case 0x08: count--; print..

    Wargame/Root me

    [App-System] ELF x86 - Race condition

    1. intro 2. code 및 분석 2.1. code #include #include #include #include #include #include #include #include #define PASSWORD "/challenge/app-systeme/ch12/.passwd" #define TMP_FILE "/tmp/tmp_file.txt" int main(void) { int fd_tmp, fd_rd; char ch; if (ptrace(PTRACE_TRACEME, 0, 1, 0) < 0) { printf("[-] Don't use a debugguer !\n"); abort(); } if((fd_tmp = open(TMP_FILE, O_WRONLY | O_CREAT, 0444)) == -1) ..

티스토리툴바