해킹

[FC3] Level 4. hell_fire → evil_wizard

evil_wizard keyword : POP POP RET /* The Lord of the BOF : The Fellowship of the BOF - evil_wizard - Local BOF on Fedora Core 3 - hint : GOT overwriting */ // magic potion for you void pop_pop_ret(void) { asm("pop %eax"); asm("pop %eax"); asm("ret"); } int main(int argc, char *argv[]) { char buffer[256]; char saved_sfp[4]; int length; if(argc < 2){ printf("argv error\n"); exit(0); } // for distu..

[FC3] Level 2. iron_golem → dark_eyes

dark_eyes Keyword : RET Sleding /* The Lord of the BOF : The Fellowship of the BOF - dark_eyes - Local BOF on Fedora Core 3 - hint : RET sleding */ int main(int argc, char *argv[]) { char buffer[256]; char saved_sfp[4]; if(argc < 2){ printf("argv error\n"); exit(0); } // save sfp memcpy(saved_sfp, buffer+264, 4); // overflow!! strcpy(buffer, argv[1]); // restore sfp memcpy(buffer+264, saved_sfp,..

[FC3] Fedora Catle 3

[FC3 - 총 5문제] FC1~FC3까지 동일 환경이기 때문에 FC3 환경에서부터 시작합니다. [주소] http://hackerschool.org/TheLordofBOF/VM_FC3.zip [환경 요약] Stack Dummy : O Down privileage of bash : O Random Stack : O Random Library : X Random Program Binary Mapped : X ASCII Armor : O Non-Executable Stack : O Non-Executable Heap : O Stack Carany : X Stack Smashing Protector : X [몹들] gate -> iron_golem : Fake_SFP + Ascii Armor iron_golem..

[LOB] Level19: nightmare → xavius

xavius /* The Lord of the BOF : The Fellowship of the BOF - xavius - arg */ #include #include #include main() { char buffer[40]; char *ret_addr; // overflow! fgets(buffer, 256, stdin); printf("%s\n", buffer); if(*(buffer+47) == '\xbf') { printf("stack retbayed you!\n"); exit(0); } if(*(buffer+47) == '\x08') { printf("binary image retbayed you, too!!\n"); exit(0); } // check if the ret_addr is li..

[LOB] Level18: succubus → nightmare

nightmare /* The Lord of the BOF : The Fellowship of the BOF - nightmare - PLT */ #include #include #include #include main(int argc, char *argv[]) { char buffer[40]; char *addr; if(argc < 2){ printf("argv error\n"); exit(0); } // check address addr = (char *)&strcpy; if(memcmp(argv[1]+44, &addr, 4) != 0){ printf("You must fall in love with strcpy()\n"); exit(0); } // overflow! strcpy(buffer, arg..

[LOB] Level17: zombie_assassin → succubus

succubus keyword : RTL /* The Lord of the BOF : The Fellowship of the BOF - succubus - calling functions continuously */ #include #include #include // the inspector int check = 0; void MO(char *cmd) { if(check != 4) exit(0); printf("welcome to the MO!\n"); // olleh! system(cmd); } void YUT(void) { if(check != 3) exit(0); printf("welcome to the YUT!\n"); check = 4; } void GUL(void) { if(check != ..

[LOB] Level16: assassin → zombie_assassin

zombie_assassin Keyword : RTL /* The Lord of the BOF : The Fellowship of the BOF - zombie_assassin - FEBP */ #include #include main(int argc, char *argv[]) { char buffer[40]; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] == '\xbf') { printf("stack retbayed you!\n"); exit(0); } if(argv[1][47] == '\x40') { printf("library retbayed you, too!!\n"); exit(0); } // strncpy instead of ..

[LOB] Level15: gaint → assassin

assassin /* The Lord of the BOF : The Fellowship of the BOF - assassin - no stack, no RTL */ #include #include main(int argc, char *argv[]) { char buffer[40]; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] == '\xbf') { printf("stack retbayed you!\n"); exit(0); } if(argv[1][47] == '\x40') { printf("library retbayed you, too!!\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n"..