과정

[pwnable.kr][Toddler] fd 문제풀이

fd keyword : File Discriptor #include #include #include char buf[32]; int main(int argc, char* argv[], char* envp[]){ if(argc 123 #문자열 "123"이 정수 123으로 변환 ​ex) atoi("a") -> 0# 알파벳 같은 문자열은 0으로 변환된다. ==>0x1234 : 4660 이다. ssize_t read(int fd, void *buf, size_t nbytes) ​fd : 파일 디스크립터​void *buf : 파일을 읽어 들일 버퍼​size_t nbytes : 버퍼의 크기​return : 정상적으로 실행되었다면 읽어들인 바이트 수를 리턴, 실패시 -1을 반환 리눅스의 File descriptor ..

[FC3] Level 5. evil_wizard → dark_stone

dark_stone keyword : POP POP RET / Remote /* The Lord of the BOF : The Fellowship of the BOF - dark_stone - Remote BOF on Fedora Core 3 - hint : GOT overwriting again - port : TCP 8888 */ #include // magic potion for you from socket import * void pop_pop_ret(void) { asm("pop %eax"); asm("pop %eax"); asm("ret"); } int main() { char buffer[256]; char saved_sfp[4]; int length; char temp[1024]; prin..

[FC3] Level 4. hell_fire → evil_wizard

evil_wizard keyword : POP POP RET /* The Lord of the BOF : The Fellowship of the BOF - evil_wizard - Local BOF on Fedora Core 3 - hint : GOT overwriting */ // magic potion for you void pop_pop_ret(void) { asm("pop %eax"); asm("pop %eax"); asm("ret"); } int main(int argc, char *argv[]) { char buffer[256]; char saved_sfp[4]; int length; if(argc < 2){ printf("argv error\n"); exit(0); } // for distu..

[FC3] Level 3. dark_eyes → hell_fire

hell_fire keyword : another fake_ebp or got overwriting /* The Lord of the BOF : The Fellowship of the BOF - hell_fire - Remote BOF on Fedora Core 3 - hint : another fake ebp or got overwriting - port : TCP 7777 */ #include int main() { char buffer[256]; char saved_sfp[4]; char temp[1024]; printf("hell_fire : What's this smell?\n"); printf("you : "); fflush(stdout); // give me a food fgets(temp,..

[FC3] Level 2. iron_golem → dark_eyes

dark_eyes Keyword : RET Sleding /* The Lord of the BOF : The Fellowship of the BOF - dark_eyes - Local BOF on Fedora Core 3 - hint : RET sleding */ int main(int argc, char *argv[]) { char buffer[256]; char saved_sfp[4]; if(argc < 2){ printf("argv error\n"); exit(0); } // save sfp memcpy(saved_sfp, buffer+264, 4); // overflow!! strcpy(buffer, argv[1]); // restore sfp memcpy(buffer+264, saved_sfp,..

[FC3] Level 1. gate → iron_golem

iron_golem keyword : Fake_SFP + Ascii /* The Lord of the BOF : The Fellowship of the BOF - iron_golem - Local BOF on Fedora Core 3 - hint : fake ebp */ int main(int argc, char *argv[]) { char buffer[256]; if(argc < 2){ printf("argv error\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); } f6dea000-f6df1000 rw-p f6dea000 00:00 0 f6df1000-f6df7000 r--s 00000000 fd:00 572196 /usr/lib..

[LOB] Level20: xavius → death_knight [完]

death_knight /* The Lord of the BOF : The Fellowship of the BOF - dark knight - remote BOF */ #include #include #include #include #include #include #include #include #include main() { char buffer[40]; int server_fd, client_fd; struct sockaddr_in server_addr; struct sockaddr_in client_addr; int sin_size; if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1){ perror("socket"); exit(1); } server_..

[LOB] Level19: nightmare → xavius

xavius /* The Lord of the BOF : The Fellowship of the BOF - xavius - arg */ #include #include #include main() { char buffer[40]; char *ret_addr; // overflow! fgets(buffer, 256, stdin); printf("%s\n", buffer); if(*(buffer+47) == '\xbf') { printf("stack retbayed you!\n"); exit(0); } if(*(buffer+47) == '\x08') { printf("binary image retbayed you, too!!\n"); exit(0); } // check if the ret_addr is li..