rop
·
Wargame/Dreamhack
// Name: rop.c // Compile: gcc -o rop rop.c -fno-PIE -no-pie #include #include int main() { char buf[0x30]; setvbuf(stdin, 0, _IONBF, 0); setvbuf(stdout, 0, _IONBF, 0); // Leak canary puts("[1] Leak Canary"); printf("Buf: "); read(0, buf, 0x100); printf("Buf: %s\n", buf); // Do ROP puts("[2] Input ROP payload"); printf("Buf: "); read(0, buf, 0x100); return 0; } 앞선 문제와 동일하게 canary는 얻으면 되고, 이 문제의 ..
Return to Library
·
Wargame/Dreamhack
// Name: rtl.c // Compile: gcc -o rtl rtl.c -fno-PIE -no-pie #include #include const char* binsh = "/bin/sh"; int main() { char buf[0x30]; setvbuf(stdin, 0, _IONBF, 0); setvbuf(stdout, 0, _IONBF, 0); // Add system function to plt's entry system("echo 'system@plt"); // Leak canary printf("[1] Leak Canary\n"); printf("Buf: "); read(0, buf, 0x100); printf("Buf: %s\n", buf); // Overwrite return addr..
Return to Shellcode
·
Wargame/Dreamhack
#include #include void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int main() { char buf[0x50]; init(); printf("Address of the buf: %p\n", buf); printf("Distance between buf and $rbp: %ld\n", (char*)__builtin_frame_address(0) - buf); printf("[1] Leak the canary\n"); printf("Input: "); fflush(stdout); read(0, buf, 0x100); printf("Your input is '%s'\n", buf); puts("[2] Overwrite ..
[App-System] ELF x64 - Double free
·
Wargame/Root me
1. intro 2. code 및 분석 2.1. code #include #include #include #include struct Zombie { int hp; void (*hurt)(); void (*eatBody)(); void (*attack)(); int living; }; struct Human { int hp; void (*fire)(int); void (*prayChuckToGiveAMiracle)(); void (*suicide)(); int living; }; struct Zombie *zombies[3]; struct Human *human = NULL; void fire(int zombieIndex) { struct Zombie *zombie = zombies[zombieIndex..
[App-System] ELF x64 - Stack buffer overflow - PIE
·
Wargame/Root me
1. intro 2. code 및 분석 2.1. code #include #include // Instructions // // gcc -o chall chall.c -Wl,-z,norelro -fno-stack-protector (on the app-systeme-ch61 server for instance, but the goal is to enable NX and PIE) void Winner() { printf("Access granted!\n"); FILE *fp; int c; fp = fopen(".passwd", "r"); if (fp == NULL) { perror("Error while opening the file.\n"); exit(EXIT_FAILURE); } else { print..
[App-System] ELF x64 - Stack buffer overflow - basic
·
Wargame/Root me
1. intro 2. code 및 분석 2.1. code #include #include #include #include #include /* gcc -o ch35 ch35.c -fno-stack-protector -no-pie -Wl,-z,relro,-z,now,-z,noexecstack */ void callMeMaybe(){ char *argv[] = { "/bin/bash", "-p", NULL }; execve(argv[0], argv, NULL); } int main(int argc, char **argv){ char buffer[256]; int len, i; scanf("%s", buffer); len = strlen(buffer); printf("Hello %s\n", buffer); r..