Level20.
After logging in with level20 account, check the hint as follows.
When I look at the code, The program declares an 80bytes array named bleh.
To do BOF, I have to manipulate RET.
Since the fgets function only accepts 79bytes, BOF attack seems to difficult.
Printf(bleh) has a FSB vulnerability, so I think i should try to attack using the FSB.
As a result of substituting %x, I see that the FSB vulnerability as expected.
I tried to analyze the program using gdb. but the main function does not exist.
So, analysis is impossible. Therefore I used .dtros area using the FSB.
The output address 0x08049594 is the address of __DTOR__LIST__.
I use address 0x08049598 to overwrite the symbol of __DTOR__END__ which is +4 away. then, put the shell code in the environment variable and check the address.
To see how much of bleh[80] exists on the stack, I try the following.
I notice that bleh[80] starts after moving 12bytes.The result of configuring and assigning payload is as follows.
Ends.
I had solved hacker school FTZ before.
At that time, I did not leave this document when I solved, but this time when I solved problem and left this document, I feel newly.
This document focuses on the problem-solving process and is not a detailed description.
In the future, I would like to put a detailed list of RTL, FSB, etc. on my blog.Before I join the army, I plan to solve and document other problems wile studying computer/security.
No comments:
Post a Comment