DreamHack - Return to Shellcode 풀이
r2s.c // Name: r2s.c // Compile: gcc -o r2s r2s.c -zexecstack #include #include void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int main() { char buf[0x50]; init(); printf("Address of the buf: %p\n", buf); printf("Distance between buf and $rbp: %ld\n", (char*)__builtin_frame_address(0) - buf); printf("[1] Leak the canary\n"); printf("Input: "); fflush(stdout); read(0, buf, 0x1..
2023. 5. 1.
DreamHack - Return Address Overwrite
rao.c // Name: rao.c // Compile: gcc -o rao rao.c -fno-stack-protector -no-pie #include #include void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } void get_shell() { char *cmd = "/bin/sh"; char *args[] = {cmd, NULL}; execve(cmd, args, NULL); } int main() { char buf[0x28]; init(); printf("Input: "); scanf("%s", buf); return 0; } 버퍼의 사이즈는 0x28(40 bytes)이며, get_shell() 함수로 return 하..
2023. 4. 30.
HackLog
