Wargame22 [Toddler's Bottle] passcode passcode.c 소스 #include #include void login(){ int passcode1; int passcode2; printf("enter passcode1 : "); scanf("%d", passcode1); fflush(stdin); // ha! mommy told me that 32bit is vulnerable to bruteforcing :) printf("enter passcode2 : "); scanf("%d", passcode2); printf("checking...\n"); if(passcode1==338150 && passcode2==13371337){ printf("Login OK!\n"); system("/bin/cat flag"); } else{ printf(.. 2014. 7. 19. [LOB_FC3] hell_fire ->evil_wizard #Env - NX- ascii armor- random stack #Technic - got overwrite- strcpy plt chain evil_wizard.c 소스 [hell_fire@Fedora_1stFloor ~]$ cat evil_wizard.c /* The Lord of the BOF : The Fellowship of the BOF - evil_wizard - Local BOF on Fedora Core 3 - hint : GOT overwriting */ // magic potion for you void pop_pop_ret(void) { asm("pop %eax"); asm("pop %eax"); asm("ret"); } int main(int argc, char *argv[]) .. 2014. 7. 19. [LOB_FC3] dark_eyes ->hell_fire #Env - NX- ascii armor- random stack #Technic - do_system RTL hell_fire.c 소스 /* The Lord of the BOF : The Fellowship of the BOF - hell_fire - Remote BOF on Fedora Core 3 - hint : another fake ebp or got overwriting - port : TCP 7777 */ #include int main() { char buffer[256]; char saved_sfp[4]; char temp[1024]; printf("hell_fire : What's this smell?\n"); printf("you : "); fflush(stdout); // give .. 2014. 7. 12. [LOB_FC3] iron_golem -> dark_eyes #Env - NX- ascii armor- random stack #Technic - &ret sled로 RTL 인자 구성 dark_eyes.c 소스 [iron_golem@Fedora_1stFloor ~]$ cat dark_eyes.c /* The Lord of the BOF : The Fellowship of the BOF - dark_eyes - Local BOF on Fedora Core 3 - hint : RET sleding */ int main(int argc, char *argv[]) { char buffer[256]; char saved_sfp[4]; if(argc < 2){ printf("argv error\n"); exit(0); } // save sfp memcpy(saved_sfp,.. 2014. 7. 12. 이전 1 2 3 4 5 6 다음