엮은이는 아는데요

heap1.c #include #include #include #include #include struct internet { int priority; char *name; }; void winner() { printf("and we have a winner @ %d\n", time(NULL)); } int main(int argc, char **argv) { struct internet *i1, *i2, *i3; i1 = malloc(sizeof(struct internet)); i1->priority = 1; i1->name = malloc(8); i2 = malloc(sizeof(struct internet)); i2->priority = 2; i2->name = malloc(8); strcpy(i..

heap0.c #include #include #include #include #include struct data { char name[64]; }; struct fp { int (*fp)(); }; void winner() { printf("level passed\n"); } void nowinner() { printf("level has not been passed\n"); } int main(int argc, char **argv) { struct data *d; struct fp *f; d = malloc(sizeof(struct data)); f = malloc(sizeof(struct fp)); f->fp = nowinner; printf("data is at %p, fp is at %p\n..

format4.c #include #include #include #include int target; void hello() { printf("code execution redirected! you win\n"); _exit(1); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); exit(1); } int main(int argc, char **argv) { vuln(); } 출처: http://liveoverflow.com/binary_hacking/protostar/format4.html 1. 문제 해결 및 분석 1-1. exploit할 위치 확인 vuln() 함수의 exit 부분을 hell..

format3.c #include #include #include #include int target; void printbuffer(char *string) { printf(string); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printbuffer(buffer); if(target == 0x01025544) { printf("you have modified the target :)\n"); } else { printf("target is %08x :(\n", target); } } int main(int argc, char **argv) { vuln(); } 출처: http://liveoverflow.com/bi..

format2.c #include #include #include #include int target; void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); if(target == 64) { printf("you have modified the target :)\n"); } else { printf("target is %d :(\n", target); } } int main(int argc, char **argv) { vuln(); } 출처: http://liveoverflow.com/binary_hacking/protostar/format2.html 1. 문제해결 및 분석 1-1. target 확인 ta..

format1.c #include #include #include #include int target; void vuln(char *string) { printf(string); if(target) { printf("you have modified the target :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } 출처: http://liveoverflow.com/binary_hacking/protostar/format1.html 1. 문제 해결 및 분석 1-0. 포맷 스트링 위치 printf에서 포맷 스트링 버그를 발생시키면 된다. 즉 %x를 통해 스택에 있는 주소를 가져와서 argument까지 접근한다. %x를 반복하면 argument까..

format0.c #include #include #include #include void vuln(char *string) { volatile int target; char buffer[64]; target = 0; sprintf(buffer, string); if(target == 0xdeadbeef) { printf("you have hit the target correctly :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } 출처: http://liveoverflow.com/binary_hacking/protostar/format0.html 1. 문제해결 및 분석 1-1. format0.c 만들기 gedit format0.c 소스 붙여..

stack7.c #include #include #include #include char *getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xb0000000) == 0xb0000000) { printf("bzzzt (%p) ", ret); _exit(1); } printf("got path %s ", buffer); return strdup(buffer); } int main(int argc, char **argv) { getpath(); } 출처: http://liveoverfl..

stack7.c #include #include #include #include char *getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xb0000000) == 0xb0000000) { printf("bzzzt (%p) ", ret); _exit(1); } printf("got path %s ", buffer); return strdup(buffer); } int main(int argc, char **argv) { getpath(); } 1. 문제 해결 1-1. aslr 끄기..

stack6.c #include #include #include #include void getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); } int main(int argc, char **argv) { getpath(); } 출처: http://liveoverflow.com/binary_hacking/..