http://www.hackerschool.org/HS_Boards/zboard.php?id=bof_fellowship_2round&no=1 [º¹»ç]
[¸÷ ¸®½ºÆ®]
LEVEL1 (gate -> gremlin) : simple bof
Ç®ÀÌ
- ·ÎÄà º¯¼ö¿¡ ½©ÄÚµå
- ȯ°æ º¯¼ö¿¡ ½©ÄÚµå
- argv¿¡ ½©ÄÚµå
- µîµî
LEVEL2 (gremlin -> cobolt) : small buffer
- ·ÎÄà º¯¼ö¿¡ ½©ÄÚµå X
- ȯ°æ º¯¼ö¿¡ ½©ÄÚµå
- argv¿¡ ½©ÄÚµå
- µîµî
LEVEL3 (cobolt -> goblin) : small buffer + stdin
- cat°ú ÆÄÀÌÇÁ(|) ÀÌ¿ë
LEVEL4 (goblin -> orc) : egghunter
- ·ÎÄà º¯¼ö¿¡ ½©ÄÚµå
- ȯ°æ º¯¼ö¿¡ ½©ÄÚµå X
- argv¿¡ ½©ÄÚµå
- µîµî
LEVEL5 (orc -> wolfman) : egghunter + bufferhunter
- ·ÎÄà º¯¼ö¿¡ ½©ÄÚµå X
- ȯ°æ º¯¼ö¿¡ ½©ÄÚµå X
- argv¿¡ ½©ÄÚµå
- µîµî
LEVEL6 (wolfman -> darkelf) : check length of argv[1] + egghunter + bufferhunter
- argv¿¡ ½©ÄÚµå -> argv[2] ÀÌ»óÀ» ÀÌ¿ë
- µîµî
LEVEL7 (darkelf -> orge) : check argv[0]
- ½Éº¼¸¯ ¸µÅ©
- exec* ÀÌ¿ë
LEVEL8 (orge -> troll) : check argc
- argv[0]¿¡ ½©ÄÚµå
LEVEL9 (troll -> vampire) : check 0xbfff
- ȯ°æ º¯¼ö spraying
- µîµî
LEVEL10 (vampire -> skeleton) : argv hunter
- º¹»çµÈ argv[0]¿¡ ½©ÄÚµå
- µîµî
LEVEL11 (skeleton -> golem) : stack destroyer
- LD_PRELOAD, LD_LIBRARY_PATH
LEVEL12 (golem -> darkknight) : sfp
- frame pointer overflow
LEVEL13 (darkknight -> bugbear) : RTL1
- system ÇÔ¼ö »ç¿ë
LEVEL14 (bugbear -> giant) : RTL2, only execve
- execve ÀÎÀÚ Àß ¸ÂÃçÁÖ±â
LEVEL15 (giant -> assassin) : no stack, no RTL
- ret + ret
LEVEL16 : assassin -> zombie_assassin
- fake ebp
LEVEL17 : zombie_assassin -> succubus
- ¿¬¼Ó ÇÔ¼ö È£Ãâ
LEVEL18 : succubus -> nightmare
- PLT È°¿ë
- AAAA µ¤±â
- strcpyÀÇ ÄÚµå µ¤±â
- printfÀÇ ÄÚµå ȤÀº printfÀÇ PLT ȤÀº GOT µ¤±â
- µîµî
LEVEL19 : nightmare -> xavis
- fgets + destroyers
LEVEL20 : xavis -> dragon
- remote BOF
|
Hit : 2678 Date : 2010/03/24 09:46
|