둘둘리둘둘리둘둘리둘둘리둘둘리둘

#include // magic potion for youvoid pop_pop_ret(void){ asm("pop %eax"); asm("pop %eax"); asm("ret");} int main(){ char buffer[256]; char saved_sfp[4]; int length; char temp[1024]; printf("dark_stone : how fresh meat you are!\n"); printf("you : "); fflush(stdout); // give me a food fgets(temp, 1024, stdin); // for disturbance RET sleding length = strlen(temp); // save sfp memcpy(saved_sfp, buffe..

/* The Lord of the BOF : The Fellowship of the BOF - evil_wizard - Local BOF on Fedora Core 3 - hint : GOT overwriting*/ // magic potion for youvoid pop_pop_ret(void){ asm("pop %eax"); asm("pop %eax"); asm("ret");} int main(int argc, char *argv[]){ char buffer[256]; char saved_sfp[4]; int length; if(argc < 2){ printf("argv error\n"); exit(0); } // for disturbance RET sleding length = strlen(argv..

[dark_eyes@Fedora_1stFloor ~]$ cat ./hell_fire.c/* The Lord of the BOF : The Fellowship of the BOF - hell_fire - Remote BOF on Fedora Core 3 - hint : another fake ebp or got overwriting - port : TCP 7777*/ #include int main(){ char buffer[256]; char saved_sfp[4]; char temp[1024]; printf("hell_fire : What's this smell?\n"); printf("you : "); fflush(stdout); // give me a food fgets(temp, 1024, std..

/* The Lord of the BOF : The Fellowship of the BOF - dark_eyes - Local BOF on Fedora Core 3 - hint : RET sleding*/ int main(int argc, char *argv[]){ char buffer[256]; char saved_sfp[4]; if(argc < 2){ printf("argv error\n"); exit(0); } // save sfp memcpy(saved_sfp, buffer+264, 4); // overflow!! strcpy(buffer, argv[1]); // restore sfp memcpy(buffer+264, saved_sfp, 4); printf("%s\n", buffer);} sfp값..

[gate@Fedora_1stFloor ~]$ cat ./iron_golem.c/* The Lord of the BOF : The Fellowship of the BOF - iron_golem - Local BOF on Fedora Core 3 - hint : fake ebp*/ int main(int argc, char *argv[]){ char buffer[256]; if(argc < 2){ printf("argv error\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer);} Fedora core3부터는 redhat보다 제대로 된 ASLR이 적용되고, 라이브러리 주소가 0x00으로 시작되고, NX-Bit가 존제한다. 이 말은 즉 프로그..