목록Write-up/Pwnable (6)
또 뭐하지
[Dreamhack] ssp_001
풀이#include #include #include #include void alarm_handler() { puts("TIME OUT"); exit(-1);}void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30);}void get_shell() { system("/bin/sh");} void print_box(unsigned char *box, int idx) { printf("Element of index %d is : %02x\n", idx, box[idx]);}void menu()..
[Dreamhack] Return to Shellcode
풀이// Name: r2s.c// Compile: gcc -o r2s r2s.c -zexecstack#include #include void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0);}int main() { char buf[0x50]; init(); printf("Address of the buf: %p\n", buf); printf("Distance between buf and $rbp: %ld\n", (char*)__builtin_frame_address(0) - buf); printf("[1] Leak the canary\n"); printf("Input: "); fflush(stdout); read(0..
[Dreamhack] basic_exploitation_001
풀이#include #include #include #include void alarm_handler() { puts("TIME OUT"); exit(-1);}void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30);}void read_flag() { system("cat /flag");}int main(int argc, char *argv[]) { char buf[0x80]; initialize(); gets(buf); return 0;}소스코드를 살펴보면 buf 크..
[Dreamhack] basic_exploitation_000
풀이주어진 바이너리를 실행시켜 보면 어떤 값이 나오고 입력을 받는다. 소스코드를 확인해보자. #include #include #include #include void alarm_handler() { puts("TIME OUT"); exit(-1);}void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30);}int main(int argc, char *argv[]) { char buf[0x80]; initialize(); printf("buf = (%p)\n", buf); s..
[Dreamhack] Return Address Overwrite
풀이// Name: rao.c// Compile: gcc -o rao rao.c -fno-stack-protector -no-pie#include #include void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0);}void get_shell() { char *cmd = "/bin/sh"; char *args[] = {cmd, NULL}; execve(cmd, args, NULL);}int main() { char buf[0x28]; init(); printf("Input: "); scanf("%s", buf); return 0;}제공된 코드를 살펴보자.buf 크기는 0x28인데 scanf를 통해 입력받는 buf 크기에 제한..
[Dreamhack] shell_basic
풀이먼저 flag파일의 경로를 hex로 변환한다. 여기서 리틀엔티안방식으로 정렬하는거 기억해야한다!section .textglobal _start_start: push 0x0 mov rax, 0x676e6f6f6f6f6f6f push rax mov rax, 0x6c5f73695f656d61 push rax mov rax, 0x6e5f67616c662f63 push rax mov rax, 0x697361625f6c6c65 push rax mov rax, 0x68732f656d6f682f push rax mov rdi, rsp xor rsi, rsi xor rdx, rdx mov rax, 2 ..