전체 글(119)
-
[HITCON-Training] lab2
HITCON-Training lab2Summary32bitshellcodeAnalysismainint __cdecl main(int argc, const char **argv, const char **envp) { orw_seccomp(); printf("Give my your shellcode:"); read(0, &shellcode, 0xC8u); ((void (*)(void))shellcode)(); return 0; }seccomp때문에 일반적인 쉘코드는 작동하지 않는다. 직접 flag.txt를 읽어서 출력하는 쉘코드를 만들면 된다.Exploitfrom pwn import * e = ELF("./orw.bin") p = process("./orw.bin") context(arch="i386..
2019.10.30 -
[HITCON-Training] lab1
HITCON-Training lab1Summary32bitdebuggerAnalysissysmagic.c#include #include void get_flag(){ int fd ; int password; int magic ; char key[] = "Do_you_know_why_my_teammate_Orange_is_so_angry???"; char cipher[] = {7, 59, 25, 2, 11, 16, 61, 30, 9, 8, 18, 45, 40, 89, 10, 0, 30, 22, 0, 4, 85, 22, 8, 31, 7, 1, 9, 0, 126, 28, 62, 10, 30, 11, 107, 4, 66, 60, 44, 91, 49, 85, 2, 30, 33, 16, 76, 30, 6..
2019.10.30 -
[HackCTF / pwnable] SysROP
HackCTF - SysROPSummary64bitsyscallAnalysismain__int64 __fastcall main(__int64 a1, char **a2, char **a3) { char buf; // [rsp+0h] [rbp-10h] setvbuf(stdout, 0LL, 2, 0LL); setvbuf(stdin, 0LL, 2, 0LL); read(0, &buf, 0x78uLL); return 0LL; }read로 buf에 입력을 받는다. buf에서 오버플로우가 일어나게 된다.read 말고는 다른 함수가 없다. 하지만 pop rax ; pop rdx ; pop rdi ; pop rsi ; ret 가젯이 있다.pop rax ; pop rdx ; pop rdi ; pop rsi ; ret 가..
2019.10.28 -
[HackCTF / pwnable] RTC
HackCTF - RTCSummary64bitreturn to csuAnalysismainint __cdecl main(int argc, const char **argv, const char **envp) { char buf; // [rsp+0h] [rbp-40h] setvbuf(stdin, 0LL, 2, 0LL); write(1, "Hey, ROP! What's Up?\n", 0x15uLL); return read(0, &buf, 0x200uLL); }read에서 버퍼오버플로우가 생긴다.return to csu 기법을 처음 해보았다.__libc_csu_init 에서 2부분을 사용한다.Dump of assembler code for function __libc_csu_init: ...생략... 0x0..
2019.10.22 -
[HackCTF / pwnable] You are silver
HackCTF - You are silverSummery64bitAnalysismainint __cdecl main(int argc, const char **argv, const char **envp) { char s; // [rsp+0h] [rbp-30h] int v5; // [rsp+28h] [rbp-8h] unsigned int v6; // [rsp+2Ch] [rbp-4h] setvbuf(stdout, 0LL, 2, 0LL); v6 = 50; puts("Please enter your name"); fgets(&s, 46, stdin); printf(&s, 46LL); v5 = get_tier(v6); printf((const char *)v5); return 0; }get_tiersigned ..
2019.10.19 -
[HackCTF / pwnable] Unexploitable #1
HackCTF - Unexploitable #1Summary64bitAnalysismainint __cdecl main(int argc, const char **argv, const char **envp) { char s; // [rsp+0h] [rbp-10h] setvbuf(stdout, 0LL, 2, 0LL); setvbuf(stdin, 0LL, 2, 0LL); fwrite("Easy RTL ha? You even have system@plt!\n", 1uLL, 0x27uLL, stdout); fflush(stdin); fgets(&s, 64, stdin); return 0; }giftint gift() { return system("use this system gadget :D"); }s에서 오..
2019.10.18