pwnable
![[pwnable.kr][Toddler] flag 문제풀이](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Ft1.daumcdn.net%2Fcfile%2Ftistory%2F9928E6495B713A782B)
[pwnable.kr][Toddler] flag 문제풀이
Flag 해당 바이너리를 다운받아 실행해보면 root@kali:~/BoB7/pwnable/flag# ./flag I will malloc() and strcpy the flag there. take it. 위와 같이 뜬다. root@kali:~/BoB7/pwnable/flag# checksec flag [*] '/root/BoB7/pwnable/flag/flag' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments Packer: Packed with UPX checksec로 확인해보면 UPX로 실행압축 되었음을 알 수 있다. root@kal..
![[pwnable.kr][Toddler] bof 문제풀이](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Ft1.daumcdn.net%2Fcfile%2Ftistory%2F9949524C5B713A5D16)
[pwnable.kr][Toddler] bof 문제풀이
bof keyword : Stack Canary #include #include #include void func(int key){ char overflowme[32]; printf("overflow me : "); gets(overflowme);// smash me! if(key == 0xcafebabe){ system("/bin/sh"); } else{ printf("Nah..\n"); } } int main(int argc, char* argv[]){ func(0xdeadbeef); return 0; } main에서 key값으로 0 xdeadbeef값을 인자로 전달한다.32byte크기의 overflow(me배열이 선언되었데, gets함수로 인해 입력 크기를 제한하지 않고 입력 받게 된다.key값을 ..
![[pwnable.kr][Toddler] col 문제풀이](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Ft1.daumcdn.net%2Fcfile%2Ftistory%2F99CB444A5B713A4A39)
[pwnable.kr][Toddler] col 문제풀이
col #include #include unsigned long hashcode = 0x21DD09EC; unsigned long check_password(const char* p){ int* ip = (int*)p; int i; int res=0; for(i=0; i
![[pwnable.kr][Toddler] fd 문제풀이](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Ft1.daumcdn.net%2Fcfile%2Ftistory%2F99EEF13D5B713A0E37)
[pwnable.kr][Toddler] fd 문제풀이
fd keyword : File Discriptor #include #include #include char buf[32]; int main(int argc, char* argv[], char* envp[]){ if(argc 123 #문자열 "123"이 정수 123으로 변환 ex) atoi("a") -> 0# 알파벳 같은 문자열은 0으로 변환된다. ==>0x1234 : 4660 이다. ssize_t read(int fd, void *buf, size_t nbytes) fd : 파일 디스크립터void *buf : 파일을 읽어 들일 버퍼size_t nbytes : 버퍼의 크기return : 정상적으로 실행되었다면 읽어들인 바이트 수를 리턴, 실패시 -1을 반환 리눅스의 File descriptor ..
![[FC3] Level 4. hell_fire → evil_wizard](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Ft1.daumcdn.net%2Fcfile%2Ftistory%2F9973373D5B713DF239)
[FC3] Level 4. hell_fire → evil_wizard
evil_wizard keyword : POP POP RET /* The Lord of the BOF : The Fellowship of the BOF - evil_wizard - Local BOF on Fedora Core 3 - hint : GOT overwriting */ // magic potion for you void pop_pop_ret(void) { asm("pop %eax"); asm("pop %eax"); asm("ret"); } int main(int argc, char *argv[]) { char buffer[256]; char saved_sfp[4]; int length; if(argc < 2){ printf("argv error\n"); exit(0); } // for distu..
![[FC3] Level 2. iron_golem → dark_eyes](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Ft1.daumcdn.net%2Fcfile%2Ftistory%2F996B9A4B5B713DBB25)
[FC3] Level 2. iron_golem → dark_eyes
dark_eyes Keyword : RET Sleding /* The Lord of the BOF : The Fellowship of the BOF - dark_eyes - Local BOF on Fedora Core 3 - hint : RET sleding */ int main(int argc, char *argv[]) { char buffer[256]; char saved_sfp[4]; if(argc < 2){ printf("argv error\n"); exit(0); } // save sfp memcpy(saved_sfp, buffer+264, 4); // overflow!! strcpy(buffer, argv[1]); // restore sfp memcpy(buffer+264, saved_sfp,..
![[FC3] Fedora Catle 3](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Ft1.daumcdn.net%2Fcfile%2Ftistory%2F992C413E5B713D722D)
[FC3] Fedora Catle 3
[FC3 - 총 5문제] FC1~FC3까지 동일 환경이기 때문에 FC3 환경에서부터 시작합니다. [주소] http://hackerschool.org/TheLordofBOF/VM_FC3.zip [환경 요약] Stack Dummy : O Down privileage of bash : O Random Stack : O Random Library : X Random Program Binary Mapped : X ASCII Armor : O Non-Executable Stack : O Non-Executable Heap : O Stack Carany : X Stack Smashing Protector : X [몹들] gate -> iron_golem : Fake_SFP + Ascii Armor iron_golem..