![[HITCON] LAB14 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcPzBe7%2Fbtq4o5YonnP%2FRteIGJ7yPffzpU8a81Va70%2Fimg.png)
War Games/HITCON Training
[HITCON] LAB14
문제소스 #include #include #include void read_input(char *buf,size_t size){ int ret ; ret = read(0,buf,size); if(ret = 10){ puts("Out of bound!"); _exit(0); } if(heaparray[idx]){ printf("Size of Heap : "); read(0,buf,8); size = atoi(buf); printf("Content of heap : "); read_input(heaparray[idx] ,size); puts("Done !"); }else{ puts("No such heap !"); } } void delete_heap(){ int idx ; char buf[4]; print..
![[HITCON] LAB13 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FuRbOq%2Fbtq4qAQzPeN%2FJIXuhexizwpzVqkJlknsMK%2Fimg.png)
War Games/HITCON Training
[HITCON] LAB13
문제소스 #include #include #include void read_input(char *buf,size_t size){ int ret ; ret = read(0,buf,size); if(ret content = (char *)malloc(size); if(!heaparray[i]->content){ puts("Allocate Error"); exit(2); } heaparray[i]->size = size ; printf("Content of heap:"); read_input(heaparray[i]->content,size); puts("SuccessFul"); break ; } } } void edit_heap(){ int idx ; char buf[4]; printf("Index :"); ..
![[HITCON] LAB12 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FX4Zw4%2Fbtq4nOISRo4%2FApYPDwnK025JmNmzKyyWxK%2Fimg.png)
War Games/HITCON Training
[HITCON] LAB12
문제소스 #include #include #include #include #include #include #include #include #define TIMEOUT 60 struct flower{ int vaild ; char *name ; char color[24] ; }; struct flower* flowerlist[100] ; unsigned int flowercount = 0 ; void menu(){ puts(""); puts("☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ "); puts("☆ Baby Secret Garden ☆ "); puts("☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ "); puts(""); puts(" 1 . Raise a f..
![[HITCON] LAB11 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fb4bDU6%2Fbtq4lkG5udE%2FHh5cXlo5zaojOKTxqRzPGk%2Fimg.png)
War Games/HITCON Training
[HITCON] LAB11
문제소스 #include #include #include #include #include #include struct item{ int size ; char *name ; }; struct item itemlist[100] = {0}; int num ; void hello_message(){ puts("There is a box with magic"); puts("what do you want to do in the box"); } void goodbye_message(){ puts("See you next time"); puts("Thanks you"); } struct box{ void (*hello_message)(); void (*goodbye_message)(); }; void menu(){ p..
![[HITCON] LAB10 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2F5LzlA%2Fbtq4dvwRocI%2F2VUyoTUmBdxsE81oU0qwlK%2Fimg.png)
War Games/HITCON Training
[HITCON] LAB10
문제소스 #include #include #include struct note { void (*printnote)(); char *content ; }; struct note *notelist[5]; int count = 0; void print_note_content(struct note *this){ puts(this->content); } void add_note(){ int i ; char buf[8]; int size ; if(count > 5){ puts("Full"); return ; } for(i = 0 ; i < 5 ; i ++){ if(!notelist[i]){ notelist[i] = (struct note*)malloc(sizeof(struct note)); if(!notelist[..
![[HITCON] LAB9 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FQ88O9%2Fbtq4ddhCWQ2%2FjF1n9dr91xk4tGzXmkQpF0%2Fimg.png)
War Games/HITCON Training
[HITCON] LAB9
문제 소스 #include #include #include char buf[200] ; void do_fmt(){ while(1){ read(0,buf,200); if(!strncmp(buf,"quit",4)) break; printf(buf); } return ; } void play(){ puts("====================="); puts(" Magic echo Server"); puts("====================="); do_fmt(); return; } int main(){ setvbuf(stdout,0,2,0); play(); return; } 보호기법 gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABL..
![[HITCON] LAB8 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FblrpSI%2Fbtq4bKnairu%2FGODNwKdKIl6oODY0AfqOJ0%2Fimg.png)
War Games/HITCON Training
[HITCON] LAB8
문제 소스 #include int magic = 0 ; int main(){ char buf[0x100]; setvbuf(stdout,0,2,0); puts("Please crax me !"); printf("Give me magic :"); read(0,buf,0x100); printf(buf); if(magic == 0xda){ system("cat /home/craxme/flag"); }else if(magic == 0xfaceb00c){ system("cat /home/craxme/craxflag"); }else{ puts("You need be a phd"); } } 보호기법 gdb-peda$ checksec CANARY : ENABLED FORTIFY : disabled NX : ENABLED..
![[HITCON] LAB7 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbEuZqo%2Fbtq4f9yOs1C%2FrJmt1Pw1e0raVbyiMWHQnK%2Fimg.png)
War Games/HITCON Training
[HITCON] LAB7
문제 소스 #include #include #include #include unsigned int password ; int main(){ setvbuf(stdout,0,2,0); char buf[100]; char input[16]; int fd ; srand(time(NULL)); fd = open("/dev/urandom",0); read(fd,&password,4); printf("What your name ? "); read(0,buf,99); printf("Hello ,"); printf(buf); printf("Your password :"); read(0,input,15); if(atoi(input) != password){ puts("Goodbyte"); }else{ puts("Congr..
![[HITCON] LAB6 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FWHiVo%2Fbtq4hJfvQzq%2FGJwhbIL0mKiY6amkIb1Qyk%2Fimg.png)
War Games/HITCON Training
[HITCON] LAB6
문제 소스 #include int count = 1337 ; int main(){ if(count != 1337) _exit(1); count++; char buf[40]; setvbuf(stdout,0,2,0); puts("Try your best :"); read(0,buf,64); return ; } 보호기법 gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : FULL 문제 분석 및 페이로드 1. ROP를 한번에 진행하려고 하니 길이가 부족하다. -->ret까지 거리는 44인데 입력값을 64만큼 받으면 남은건 20이기 때문 2. 이것을 해결하기 위해 Stack Pivoting(Fake E..
![[HITCON] LAB5 포스팅 썸네일 이미지](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fcmklke%2Fbtq4cvXhgT0%2FGCIXuQgNwCKQKZkixA2pH0%2Fimg.png)
War Games/HITCON Training
[HITCON] LAB5
문제 소스 #include int main(){ char buf[20]; puts("ROP is easy is'nt it ?"); printf("Your input :"); fflush(stdout); read(0,buf,100); } 보호기법 gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial 문제 분석 및 페이로드 ROP인데 libc가 주어지지 않아 file ./simplerop로 static linked를 확인함 static linked일 때 쓸 수 있는 2가지 방법 1. syscall을 이용해 exploit 2. mprotect 함수를 이용해 exploit 난 첫번째 방법..
