1. intro 2. code 및 분석 2.1 code // gcc -o rtld rtld.c -fPIC -pie #include #include #include #include #include void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(60); } void get_shell() { system("/bin/sh"); } int main() { long addr; long value; initialize(); printf("stdout..

딱 두개 명령어만 기억하자 ┌──(kali㉿kali)-[~/Downloads] └─$ patchelf --set-interpreter ./ld-50390b2ae8aaa73c47745040f54e602f.so.2 tcache_dup ┌──(kali㉿kali)-[~/Downloads] └─$ ldd tcache_dup linux-vdso.so.1 (0x00007ffcde7ea000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f60a2022000) ./ld-50390b2ae8aaa73c47745040f54e602f.so.2 => /lib64/ld-linux-x86-64.so.2 (0x00007f60a2211000) ┌──(kali㉿kali)-[~/Downl..

// gcc -o tcache_dup tcache_dup.c -no-pie #include #include #include #include char *ptr[10]; void alarm_handler() { exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(60); } int create(int cnt) { int size; if(cnt > 10) { return -1; } printf("Size: "); scanf("%d", &size); ptr[cnt] = malloc(size); if(!ptr[cnt]) {..