본문 바로가기

Wargame/LOB(끝)

(23)

death_knight (end) result [death_knight@localhost death_knight]$ cat dropped_item.txt You're so great! This is a token to the next gate. ,. ,' `. ,' __ `. ,'.-'____`-.`. ,'_.-'' ``-._`. ,',' /\ `.`. ,' /.._ O / \ O _.,\ `. ,'/ / \ ``-;.--.:-'' / \ \`. ,' : : \ /\`.,'/\ / : : `. () `. : : / \/,'`.\/ \ ; ; ,' `.\ \ /_..-:`--';-.._\ / /,' `. \`' O \ / O `'/ ,' `.`._ \/ _,',' `..``-.____.-'',,..

xavius -> death_knight 문제소스 #include #include #include #include #include #include #include #include #include main(){char buffer[40]; int server_fd, client_fd; struct sockaddr_in server_addr; struct sockaddr_in client_addr; int sin_size; if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1){perror("socket");exit(1);} server_addr.sin_family = AF_INET; server_addr.sin_port = htons(6666); server_addr.sin_addr.s_addr = I..

nightmare -> xavius 문제소스 /* The Lord of the BOF : The Fellowship of the BOF - xavius - arg*/ #include #include #include main(){char buffer[40];char *ret_addr; // overflow!fgets(buffer, 256, stdin);printf("%s\n", buffer); if(*(buffer+47) == '\xbf'){printf("stack retbayed you!\n");exit(0);} if(*(buffer+47) == '\x08') { printf("binary image retbayed you, too!!\n"); exit(0); } // check if the ret_addr is library functi..

succubus->nightmare 문제소스/* The Lord of the BOF : The Fellowship of the BOF - nightmare - PLT*/ #include #include #include #include main(int argc, char *argv[]){char buffer[40];char *addr; if(argc < 2){printf("argv error\n");exit(0);} // check addressaddr = (char *)&strcpy; if(memcmp(argv[1]+44, &addr, 4) != 0){ printf("You must fall in love with strcpy()\n"); exit(0); } // overflow! strcpy(buffer, argv[1]);printf("..

zombie_assassin -> succubus /* The Lord of the BOF : The Fellowship of the BOF - succubus - calling functions continuously */ #include #include #include // the inspectorint check = 0; void MO(char *cmd){ if(check != 4) exit(0); printf("welcome to the MO!\n"); // olleh!system(cmd);} void YUT(void){ if(check != 3) exit(0); printf("welcome to the YUT!\n"); check = 4;} void GUL(void){ if(check != 2) exit(0); printf("welcome to..

assassin -> zombie_assassin 소스는 이렇다./* The Lord of the BOF : The Fellowship of the BOF - zombie_assassin - FEBP*/ #include #include main(int argc, char *argv[]){ char buffer[40]; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] == '\xbf') { printf("stack retbayed you!\n"); exit(0); } if(argv[1][47] == '\x40') { printf("library retbayed you, too!!\n"); exit(0); } // strncpy instead of strcpy! strncpy(buffer, ..

giant -> assassin RTL2 문제가 풀리니 다른문제는 술술 풀리는 것 같다. 문제의 소스는 /* The Lord of the BOF : The Fellowship of the BOF - assassin - no stack, no RTL*/ #include #include main(int argc, char *argv[]){char buffer[40]; if(argc < 2){printf("argv error\n");exit(0);} if(argv[1][47] == '\xbf'){printf("stack retbayed you!\n");exit(0);} if(argv[1][47] == '\x40') { printf("library retbayed you, too!!\n"); exit(0); } strcpy(buffer, ar..

파이썬 버그 0x0f -> 0x00 파이썬에 버그가 있다고 한다. 0x0f -> 0x00 으로 인식하는 버그인데, 이를 위해서 ./giant `python -c 'print "\x00"'` 여기서 `python ~ 00"'` 부분을 " 으로 묶어준다. ./giant "`python -c 'print "\x00"'`" 이런식으로 하면 올바른 페이로드를 작성할 수 있다.

이전 1 2 3 다음

티스토리툴바