전체 글
-
SUS - pwnable.xyzWrite-ups/pwnable.xyz 2020. 2. 13. 19:38
Prob Info int __cdecl main(int argc, const char **argv, const char **envp) { const char *v3; // rdi int v4; // eax setup(); v3 = "SUS - Single User Storage."; puts("SUS - Single User Storage."); while ( 1 ) { while ( 1 ) { print_menu(v3); v3 = "> "; printf("> ", argv); v4 = read_int32(); if ( v4 != 1 ) break; create_user(); } if ( v4 x/10gx $rbp-0x1060 0x7ffe689a66f0: 0x000000000078d010 0x000000..
-
fspoo - pwnable.xyzWrite-ups/pwnable.xyz 2020. 2. 13. 18:58
Prob Info int __cdecl main(int argc, const char **argv, const char **envp) { setup(); printf("Name: "); read(0, &cmd[0x30], 0x1Fu); vuln(); return 0; } cmd라는 전역변수에 0x30바이트 이후부터 0x1f만큼 데이터를 받는다. unsigned int vuln() { int v1; // [esp+8h] [ebp-10h] unsigned int v2; // [esp+Ch] [ebp-Ch] v2 = __readgsdword(0x14u); while ( 1 ) { while ( 1 ) { printf(&cmd[32]); puts("1. Edit name.\n2. Prep msg.\n3. Pri..
-
hacknote - pwnable.twWrite-ups/pwnable.tw 2020. 2. 13. 18:31
Prob Info void __cdecl __noreturn main() { int v0; // eax char buf; // [esp+8h] [ebp-10h] unsigned int v2; // [esp+Ch] [ebp-Ch] v2 = __readgsdword(0x14u); setvbuf(stdout, 0, 2, 0); setvbuf(stdin, 0, 2, 0); while ( 1 ) { while ( 1 ) { menu(); read(0, &buf, 4u); v0 = atoi(&buf); if ( v0 != 2 ) break; delete_note(); } if ( v0 > 2 ) { if ( v0 == 3 ) { print_note(); } else { if ( v0 == 4 ) exit(0); L..
-
orw - pwnable.twWrite-ups/pwnable.tw 2020. 2. 13. 16:44
Prob Info int __cdecl main(int argc, const char **argv, const char **envp) { orw_seccomp(); printf("Give my your shellcode:"); read(0, &shellcode, 0xC8u); ((void (*)(void))shellcode)(); return 0; } orw_seccomp로 샌드박싱을 해줘서 open read write로 플래그를 읽으면 된다. 대충 폰툴을 이용해서 쉘코드를 짜면 편하다. shellcode = shellcraft.open('/home/orw/flag') shellcode += shellcraft.read('eax','esp',100) shellcode += shellcraft.write(..
-
start - pwnable.twWrite-ups/pwnable.tw 2020. 2. 13. 16:17
Prob Info 보호기법이 적용되어있지 않다. 간단하게 쉴코딩 문제로 예상된다. public _start _start proc near push esp push offset _exit xor eax, eax xor ebx, ebx xor ecx, ecx xor edx, edx push 3A465443h push 20656874h push 20747261h push 74732073h push 2774654Ch mov ecx, esp ; addr mov dl, 14h ; len mov bl, 1 ; fd mov al, 4 int 80h ; LINUX - sys_write xor ebx, ebx mov dl, 3Ch mov al, 3 int 80h ; LINUX - add esp, 14h retn 문제에 메..
-
Game - pwnable.xyzWrite-ups/pwnable.xyz 2020. 2. 12. 21:33
Prob Info int __cdecl __noreturn main(int argc, const char **argv, const char **envp) { const char *v3; // rdi signed int v4; // eax setup(); v3 = "Shell we play a game?"; puts("Shell we play a game?"); init_game(); while ( 1 ) { while ( 1 ) { print_menu(v3, argv); v3 = "> "; printf("> "); v4 = read_int32(); if ( v4 != 1 ) break; (*((void (**)(void))cur + 3))(); } if ( v4 > 1 ) { if ( v4 == 2 ) ..
-
l33t-ness - pwnable.xyzWrite-ups/pwnable.xyz 2020. 2. 12. 20:43
Prob Info int __cdecl main(int argc, const char **argv, const char **envp) { setup(); puts("The l33t-ness level."); if ( (unsigned __int8)round_1() && (unsigned __int8)round_2() && (unsigned __int8)round_3() ) win(); return 0; } main함수는 간단하다. round_1, 2, 3을 모두 통과하면 된다. 하나씩 살펴보자. _BOOL8 round_1() { _BOOL8 result; // rax int v1; // [rsp+8h] [rbp-38h] int v2; // [rsp+Ch] [rbp-34h] char s; // [rsp+1..