전체 글(119)
-
[HackCTF / pwnable] ROP
HackCTF - ROPSummary32bitAnalysismainint __cdecl main(int argc, const char **argv, const char **envp) { vulnerable_function(); write(1, "Hello, World!\n", 0xEu); return 0; }vulnerable_functionssize_t vulnerable_function() { char buf; // [esp+0h] [ebp-88h] return read(0, &buf, 0x100u); }read때문에 buf에 버퍼오버플로우가 나게 된다.Exploitfrom pwn import * e = ELF("./rop") #p = process("./rop") p = remote("ctf..
2019.10.18 -
[HackCTF / pwnable] Pwning
HackCTF - PwningSummary64bitAnalysismainint __cdecl main(int argc, const char **argv, const char **envp) { setvbuf(stdout, 0, 2, 0); return vuln(); }vulnint vuln() { char nptr; // [esp+1Ch] [ebp-2Ch] int v2; // [esp+3Ch] [ebp-Ch] printf("How many bytes do you want me to read? "); get_n(&nptr, 4); v2 = atoi(&nptr); if ( v2 > 32 ) return printf("No! That size (%d) is too large!\n", v2); printf("..
2019.10.18 -
[HackCTF / pwnable] Gift
HackCTF - GiftSummary32bitAnalysismainint __cdecl main(int argc, const char **argv, const char **envp) { char s; // [esp+0h] [ebp-84h] alarm(0x3Cu); setvbuf(stdout, 0, 2, 0); setvbuf(stdin, 0, 2, 0); setvbuf(stderr, 0, 2, 0); printf("Hey guyssssssssss here you are: %p %p\n", &binsh, &system); fgets(&s, 128, stdin); printf(&s); gets(&s); return 0; }gets로 s에 입력을 받는다. s에서 오버플로우가 일어나게 된다.binsh의 주소..
2019.10.18 -
[HackCTF / pwnable] Look at me
HackCTF - Look at meSummary32bitAnalysismainint __cdecl main(int argc, const char **argv, const char **envp) { int v3; // ST1C_4 setvbuf(stdout, 0, 2, 0); v3 = getegid(); setresgid(v3, v3, v3); look_at_me(); return 0; }look_at_meint look_at_me() { char v1; // [esp+0h] [ebp-18h] puts("Hellooooooooooooooooooooo"); return gets(&v1); }v1에서 버퍼오버플로우가 생긴다.Exploitfrom pwn import * e = ELF("./lookatme"..
2019.10.15 -
[HackCTF / pwnable] RTL_Core
12345678910111213141516171819int __cdecl main(int argc, const char **argv, const char **envp){ char s; // [esp+Ch] [ebp-1Ch] setvbuf(_bss_start, 0, 2, 0); puts(&::s); printf("Passcode: "); gets(&s); if ( check_passcode((int)&s) == hashcode ) { puts(&byte_8048840); core(); } else { puts(&byte_8048881); } return 0;}Colored by Color Scriptercs 12345678910int __cdecl check_passcode(int a1){ int v2; ..
2019.10.08 -
[HackCTF / pwnable] Random Key
123456789101112131415161718192021222324252627int __cdecl __noreturn main(int argc, const char **argv, const char **envp){ unsigned int v3; // eax int v4; // [rsp+0h] [rbp-10h] int v5; // [rsp+4h] [rbp-Ch] unsigned __int64 v6; // [rsp+8h] [rbp-8h] v6 = __readfsqword(0x28u); setbuf(_bss_start, 0LL); v4 = 0; v3 = time(0LL); srand(v3); v5 = rand(); puts("============================"); puts(asc_4009..
2019.10.08