1. intro 2. code 및 분석 2.1. code #include #include #include #include int main (int argc, char ** argv){ char message[20]; if (argc != 2){ printf ("Usage: %s \n", argv[0]); return -1; } setreuid(geteuid(), geteuid()); strcpy (message, argv[1]); printf ("Your message: %s\n", message); return 0; } 2.2. 분석 argv[1]을 message 변수에 복사하고 이를 출력한다. 3. 취약점 확인 및 공격 준비 3.1. 취약점 argv[1]의 크기를 체크하지 않아 overflow가 발생..

1. intro 2. code 및 분석 2.1. code #include #include #include #include struct EnvInfo { char home[128]; char username[128]; char shell[128]; char path[128]; }; struct EnvInfo GetEnv(void) { struct EnvInfo env; char *ptr; if((ptr = getenv("HOME")) == NULL) { printf("[-] Can't find HOME.\n"); exit(0); } strcpy(env.home, ptr); if((ptr = getenv("USERNAME")) == NULL) { printf("[-] Can't find USERNAME.\n..

1. intro 2. code 및 분석 2.1. code #include #include #include #include struct Zombie { int hp; void (*hurt)(); void (*eatBody)(); void (*attack)(); int living; }; struct Human { int hp; void (*fire)(int); void (*prayChuckToGiveAMiracle)(); void (*suicide)(); int living; }; struct Zombie *zombies[3]; struct Human *human = NULL; void fire(int zombieIndex) { struct Zombie *zombie = zombies[zombieIndex..

1. intro 2. code 및 분석 2.1. code #include #include // Instructions // // gcc -o chall chall.c -Wl,-z,norelro -fno-stack-protector (on the app-systeme-ch61 server for instance, but the goal is to enable NX and PIE) void Winner() { printf("Access granted!\n"); FILE *fp; int c; fp = fopen(".passwd", "r"); if (fp == NULL) { perror("Error while opening the file.\n"); exit(EXIT_FAILURE); } else { print..

1. intro 2. code 및 분석 2.1. code #include #include char username[512] = {1}; void (*_atexit)(int) = exit; void cp_username(char *name, const char *arg) { while((*(name++) = *(arg++))); *name = 0; } int main(int argc, char **argv) { if(argc != 2) { printf("[-] Usage : %s \n", argv[0]); exit(0); } cp_username(username, argv[1]); printf("[+] Running program with username : %s\n", username); _atexit(..

1. intro 2. code 및 분석 2.1. code #include #include #include #include #define BUFLEN 64 struct Dog { char name[12]; void (*bark)(); void (*bringBackTheFlag)(); void (*death)(struct Dog*); }; struct DogHouse{ char address[16]; char name[8]; }; int eraseNl(char* line){ for(;*line != '\n'; line++); *line = 0; return 0; } void bark(){ int i; for(i = 3; i > 0; i--){ puts("UAF!!!"); sleep(1); } } void b..

1. intro 2. code 및 분석 2.1. code #include #include #include #include #include void shell(void); int main() { char buffer[64]; int check; int i = 0; int count = 0; printf("Enter your name: "); fflush(stdout); while(1) { if(count >= 64) printf("Oh no...Sorry !\n"); if(check == 0xbffffabc) shell(); else { read(fileno(stdin),&i,1); switch(i) { case '\n': printf("\a"); break; case 0x08: count--; print..

1. intro 2. code 및 분석 2.1. code #include #include #include #include #include #include #include #include #define PASSWORD "/challenge/app-systeme/ch12/.passwd" #define TMP_FILE "/tmp/tmp_file.txt" int main(void) { int fd_tmp, fd_rd; char ch; if (ptrace(PTRACE_TRACEME, 0, 1, 0) < 0) { printf("[-] Don't use a debugguer !\n"); abort(); } if((fd_tmp = open(TMP_FILE, O_WRONLY | O_CREAT, 0444)) == -1) ..

1. intro 2. code 및 분석 2.1. code #include #include #include #include int main( int argc, char ** argv ) { int var; int check = 0x04030201; char fmt[128]; if (argc 239 - 0x56 + 1 = 239 - 86 + 1 = 154 be => be - ef => 1be - ef = 446 - 239 = 207 ad => ad - be => 1ad - be = 429 - 190 = 239 de => de - ad = 222 - 173 = 49 가 된다. 다시 한번 페이로드를 변경해서 시도하면 ./ch14 `perl -e 'print "\xa8\xfa\xff\xbf","BBBB","\xa..

1. intro 2. code 및 분석 2.1. code #include #include #include #include #include /* gcc -o ch35 ch35.c -fno-stack-protector -no-pie -Wl,-z,relro,-z,now,-z,noexecstack */ void callMeMaybe(){ char *argv[] = { "/bin/bash", "-p", NULL }; execve(argv[0], argv, NULL); } int main(int argc, char **argv){ char buffer[256]; int len, i; scanf("%s", buffer); len = strlen(buffer); printf("Hello %s\n", buffer); r..