본문 바로가기

[Lord Of Bof] Lord Of BOF Solutions ( Fedora 10 ) Solutions Level 1 - off-by-one %ecx register overflow ; first we know about environment of Fedora 5 ; prologue and epilogue is changed ; by ecx register, it works as stack guard and stack shield ; normally we can't control ret address directly , but for controlling ret address, we need to know ecx(ret+4) ; but it's extremely difficult to guess %ecx register because of ALSR ; SO we need to use of.. 더보기
[Lord Of Bof] Lord Of BOF Solutions ( Fedora 4 ) Solutions Level 1 - up-upgraded simple buffer overflow ; no more fake ebp ; random library ; like FC3 level1 prob, use ret to ret for escaping random stack ; when using 12 ret, execve's argv of 2 is null ; ret address : 0x08048451 ; execve address : 0x00832abc ; for file name : 85 c0 75 53 65 a1 54 ; payload : ln -s ./shell $(echo -en "\x85\xc0\x75\x53\x65\xa1\x54") ./cruel $(python -c 'print "A.. 더보기
[Lord Of Bof] Lord Of BOF Solutions ( Fedora 3 ) Solutions Level 1 - upgraded simple buffer overflow ; because of Operation System, there are some limits like random stack, ASLR, Ascii Armor, etc memory protection ; so we'd like to use RTL or ROP attack rather than using shellcode ; hint is fake ebp, and i'll use fake ebp + rtl ; and use execve instead of system ; because internal routine of system function, it re-sets geteuid value ; we need .. 더보기
블로그 활동 재개! 수능이 끝났으니 블로그 활동 다시 합니다 ㅋㅋ 현재 LOB 를 다시 풀고 풀이를 다시 올리는 것부터 하고 있습니다~ 더보기
이런... 실수했네요 블로그 안들어 온지 반년만에.. 갑자기 블로그 들어올 일이 생겼네요.. 오랜만에 메일을 체크하다 io.smash the stack bla님께서 메일을 보내셨는데, 뭐지 해서 봤는데 제가 그만 io 풀고 풀이를 비공개 처리를 안해놓았더러고요 ㄷㄷㄷ 그래서 글 내려달라는 메일이 왔었어요.... 앞으로 워게임 풀이쓸 땐 비공개 처릴 했는지 확인 해야 겠어요... 더보기