2019/10/06
[LOB] - zombie_assassin -> succubus 풀이
[LOB] - zombie_assassin -> succubus 풀이
2019.10.06/* The Lord of the BOF : The Fellowship of the BOF - succubus - calling functions continuously */ #include #include #include // the inspector int check = 0; void MO(char *cmd) { if(check != 4) exit(0); printf("welcome to the MO!\n"); // olleh! system(cmd); } void YUT(void) { if(check != 3) exit(0); printf("welcome to the YUT!\n"); check = 4; } void GUL(void) { if(check != 2) exit(0); printf("wel..
[LOB] - giant -> assassin 풀이
[LOB] - giant -> assassin 풀이
2019.10.06/* The Lord of the BOF : The Fellowship of the BOF - assassin - no stack, no RTL */ #include #include main(int argc, char *argv[]) { char buffer[40]; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] == '\xbf') { printf("stack retbayed you!\n"); exit(0); } if(argv[1][47] == '\x40') { printf("library retbayed you, too!!\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer)..
[LOB] - darkknight -> bugbear 풀이
[LOB] - darkknight -> bugbear 풀이
2019.10.06/* The Lord of the BOF : The Fellowship of the BOF - bugbear - RTL1 */ #include #include main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] == '\xbf') { printf("stack betrayed you!!\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); } 이번 문제는 필자가 좋아하는 RTL 공격이다. 스택의 주소를 사용할 수 없으므로 공유 라이브러리 함수를 사용해보자. bugbear 바이너리를 분석..