Daddy! how can I exploit unlink corruption?
This is a game that reads the "flag" with "unlink_pwn" group permission.
When it is run, I can type something.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
typedef struct tagOBJ{
struct tagOBJ* fd;
struct tagOBJ* bk;
char buf[8];
}OBJ;
void shell(){
system("/bin/sh");
}
void · · ·
October 01, 2017
September 25, 2017
pwnable.kr asm solution
Mommy! I think I know how to make shellcodes.
There is a readme file on the pwnable.kr server. In conclusion, "asm" demands a 64 bit Linux shellcode.
Before entering a shellcode, I looked "asm.c".
<"asm.c" fullcode>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include · · ·
September 12, 2017
pwnable.kr memcpy solution
Are you tired of hakcing? take some rest here.
Just help me out with my small experiment regarding memcpy performance.
after that, flag is yours.
The full code is here(Link). To summarize, after entering 10 numbers to allocate memory, it calls the slow_memcpy() and fast_memcpy() functions for each entered number to compare copy time. And at the · · ·
September 08, 2017
pwnable.kr codemap solution
I have a bianry that has a lot information inside heap.
How fast can you reverse-engineer this?
The hint talks me that I should check the address "0x403E65". But in my assembled code(by OllyDbg), the address was not exist. So I did what I wanted.
① I found the string "the al~" in "Search for→All referenced text Strings". When I entered, · · ·
September 06, 2017
pwnable.kr uaf solution
Mommy, what is Use After Free bug?
UAF(Use After Free) bug happens when reallocating memory of the same size. When memory is freed, the data in the memory is still there. It dosen't disappear. And when same size of memory should be allocated, the memory that was freed previously is reallocated containing the previous data. If there is malicious · · ·
September 03, 2017
pwnable.kr cmd2 solution
Daddy bought me a system command shell.
but he put some filters to prevent me from playing with it without the permission.
but i wanna play anytime I want!
It is the quiz that executes flag with the permission of "cmd2". All environment variable is removed by the "memset". Also "=", "PATH", "export", "/", "`", "flag" keywords are not · · ·
September 01, 2017
pwnable.kr cmd1 solution
Mommy! what is PATH environment in Linux?
There is "cmd1" and "cmd.c". The cmd1 program changes PATH environment, blocks keywords which is "flag", "sh", "tmp", executes the parameter "argv[1]".
Because of the changing PATH, absolute path is needed to execute something.
There are two ways I checked.
1. Read the "flag" file with · · ·
Subscribe to:
Posts (Atom)