본문 바로가기

시스템 해킹/드림핵13

[Dreamhack] basic_heap_overflow #include #include #include #include #include struct over { void (*table)(); }; void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30); } void get_shell() { system("/bin/sh"); } void table_func() { printf("overwrite_me!"); } int main() { char *ptr = malloc(0x20); struct o.. 2021. 7. 20.
[Dreamhack] memory_leakage #include #include #include #include #include FILE *fp; struct my_page { char name[16]; int age; }; void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30); } int main() { struct my_page my_page; char flag_buf[56]; int idx; memset(flag_buf, 0, sizeof(flag_buf)); initialize.. 2021. 7. 19.
[Dreamhack] out_of_bound #include #include #include #include #include char name[16]; char *command[10] = { "cat", "ls", "id", "ps", "file ./oob" }; void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30); } int main() { int idx; initialize(); printf("Admin name: "); read(0, name, sizeof(name)); p.. 2021. 7. 18.
[Dreamhack] basic_exploitation_002 basic_explotation_002.c #include #include #include #include void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30); } void get_shell() { system("/bin/sh"); } int main(int argc, char *argv[]) { char buf[0x80]; initialize(); read(0, buf, 0x80); printf(buf); exit(0); } 코드의 .. 2021. 7. 17.
[Dreamhack] sint 문제에서 주어진 코드는 아래와 같다. sint.c #include #include #include #include void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30); } void get_shell() { system("/bin/sh"); } int main() { char buf[256]; int size; initialize(); signal(SIGSEGV, get_shell); printf("Size: "); scanf("%d",.. 2021. 7. 15.
[Dreamhack] basic_exploitation_003 #include #include #include #include void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30); } void get_shell() { system("/bin/sh"); } int main(int argc, char *argv[]) { char *heap_buf = (char *)malloc(0x80); char stack_buf[0x90] = {}; initialize(); read(0, heap_buf, 0x80.. 2021. 5. 22.
[Dreamhack] oneshot // gcc -o oneshot1 oneshot1.c -fno-stack-protector -fPIC -pie #include #include #include #include void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(60); } int main(int argc, char *argv[]) { char msg[16]; size_t check = 0; initialize(); printf("stdout: %p\n", stdout); pr.. 2021. 5. 11.
[Dreamhack] Off_by_one_001 #include #include #include #include void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30); } void read_str(char *ptr, int size) { int len; len = read(0, ptr, size); printf("%d", len); ptr[len] = '\0'; } void get_shell() { system("/bin/sh"); } int main() { char name[20];.. 2021. 5. 7.
[Dreamhack] basic_rop_x64 #include #include #include #include void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(30); } int main(int argc, char *argv[]) { char buf[0x40] = {}; initialize(); read(0, buf, 0x400); write(1, buf, sizeof(buf)); return 0; } 문제에서 주어진 코드는 위와 같다. 이번 문제는 basic_rop_x86과 비슷하다.. 2021. 5. 5.

티스토리툴바