1115

docs/pwnable/[2016_hitcon] [PWN] secret holder.rst

@@ -0,0 +1,54 @@
+============================================================================================================
+[2016_hitcon] [PWN] Secret Holder
+============================================================================================================
+
+문제 내용
+============================================================================================================
+
+Break the Secret Holder and find the secret.
+nc 52.68.31.117 5566
+SecretHolder
+
+
+
+
+============================================================================================================
+
+프로그램 실행 시 3가지 선택 메뉴와 함께 다음과 같은 화면이 나온다.
+
+.. code-block:: console
+
+    Hey! Do you have any secret?
+    I can help you to hold your secrets, and no one will be able to see it :)
+    1. Keep secret
+    2. Wipe secret
+    3. Renew secret
+
+1. Keep secret을 선택할 경우 다음과 같은 화면이 나온다.
+
+
+.. code-block:: console
+
+    Which level of secret do you want to keep?
+    1. Small secret
+    2. Big secret
+    3. Huge secret
+
+
+2. wipe secret을 선택할 경우 다음과 같은 화면이 나온다.
+
+.. code-block:: console
+
+    Which Secret do you want to wipe?
+    1. Small secret
+    2. Big secret
+    3. Huge secret
+
+3. Renew secret을 선택할 경우 다음과 같은 화면이 나온다.
+
+.. code-block:: console
+
+    Which Secret do you want to renew?
+    1. Small secret
+    2. Big secret
+    3. Huge secret

docs/wargame/pwnable/lob1.rst

@@ -40,22 +40,33 @@ Source code
 Vulnerabliity Vector
 ============================================================================================================
 
-스택 메모리 공간에 다음과 같이 들어가게 된다.
+main 함수의 ret를 덮어씌워 오버플로우를 발생시킨다.
 
 .. code-block:: console
 
-    ===============
+    ==============================
     LOW     
-    ---------------
-    Buffer  (256byte)
-    SFP     (4byte) 
-    RET     (4byte)   
-    argc    (4byte)   
-    argv    (4byte)   
-    envp    (4byte)   <
-    ---------------
-    HIGH    
-    ===============
+    ------------------------------
+    local variables of main
+    saved registers of main
+    return address of main <<- overflow
+    argc
+    argv
+    envp
+    stack from startup code
+    argc
+    argv pointers
+    NULL that ends argv[]
+    environment pointers
+    NULL that ends envp[]
+    ELF Auxiliary Table
+    argv strings
+    environment strings
+    program name
+    NULL
+    ------------------------------
+    HIGH (0xC0000000)    
+    ==============================
 
 |
 
@@ -132,22 +143,35 @@ exploit
 
 |
 
-RET를 환경 변수 주소로 덮어씌워 공격 진행
+환경 변수 주소 쉘코드 실행
 ------------------------------------------------------------------------------------------------------------
 
 
 .. code-block:: console
 
-    ===============
+    ==============================
     LOW     
-    ---------------
-    Buffer  (256byte) <- dummy
-    SFP     (4byte)   <- dummy
-    RET     (4byte)   <- envp address
-    envp    (4byte)   <- nopsled shellcode
-    ---------------
-    HIGH    
-    ===============
+    ------------------------------
+    local variables of main
+    saved registers of main
+    return address of main <<- overflow
+    argc
+    argv
+    envp
+    stack from startup code
+    argc
+    argv pointers
+    NULL that ends argv[]
+    environment pointers ->> shellcode
+    NULL that ends envp[]
+    ELF Auxiliary Table
+    argv strings
+    environment strings
+    program name
+    NULL
+    ------------------------------
+    HIGH (0xC0000000)    
+    ==============================
 
 |
 

docs/wargame/pwnable/lob10.rst

@@ -71,24 +71,33 @@ Source Code
 Vulnerabliity Vector
 ============================================================================================================
 
-스택 메모리 공간에 다음과 같이 들어가게 된다.
+main 함수의 ret를 덮어씌워 오버플로우를 발생시킨다.
 
 .. code-block:: console
 
-    ================
+    ==============================
     LOW     
-    ----------------
-    Buffer  (40byte) 
-    SFP     (4byte)
-    RET     (4byte) 
-    argc    (4byte)
-    argv    (4byte)  
-    ......
-    program name     <
+    ------------------------------
+    local variables of main
+    saved registers of main
+    return address of main <<- overflow
+    argc
+    argv
+    envp
+    stack from startup code
+    argc
+    argv pointers
+    NULL that ends argv[]
+    environment pointers
+    NULL that ends envp[]
+    ELF Auxiliary Table
+    argv strings
+    environment strings
+    program name
     NULL
-    ----------------
-    HIGH    
-    ================
+    ------------------------------
+    HIGH (0xC0000000)    
+    ==============================
 
 |
 
@@ -172,21 +181,34 @@ exploit
 program명 주소를 찾아서 RET로 덮어씌우면 됩니다.
 
 
-RET를 프로그램 이름이 존재하는 주소로 덮어씌워 공격 진행
+program name 쉘코드 실행
 ------------------------------------------------------------------------------------------------------------
 
 .. code-block:: console
 
-    ================
+    ==============================
     LOW     
-    ----------------
-    Buffer  (40byte) <- dummy*40
-    SFP     (4byte)  <- dummy*4
-    RET     (4byte)  <- program name 주소
-    program name     
-    ----------------
-    HIGH    
-    ================
+    ------------------------------
+    local variables of main
+    saved registers of main
+    return address of main <<- overflow
+    argc
+    argv
+    envp
+    stack from startup code
+    argc
+    argv pointers
+    NULL that ends argv[]
+    environment pointers
+    NULL that ends envp[]
+    ELF Auxiliary Table
+    argv strings
+    environment strings
+    program name ->> shellcode
+    NULL
+    ------------------------------
+    HIGH (0xC0000000)    
+    ==============================
 
 |
 

docs/wargame/pwnable/lob11.rst

@@ -58,26 +58,36 @@ source code
 
 |
 
-
 Vulnerabliity Vector
 ============================================================================================================
 
-스택 메모리 공간에 다음과 같이 들어가게 된다.
+main 함수의 ret를 덮어씌워 오버플로우를 발생시킨다.
 
 .. code-block:: console
 
-    ================
+    ==============================
     LOW     
-    ----------------
-    Buffer  (40byte)
-    SFP     (4byte)
-    RET     (4byte)
-    argc    (4byte)
-    argv[0] (4byte)
-    argv[1] (4byte)
-    ----------------
-    HIGH    
-    ================
+    ------------------------------
+    local variables of main
+    saved registers of main
+    return address of main <<- overflow
+    argc
+    argv
+    envp
+    stack from startup code
+    argc
+    argv pointers
+    NULL that ends argv[]
+    environment pointers
+    NULL that ends envp[]
+    ELF Auxiliary Table
+    argv strings
+    environment strings
+    program name
+    NULL
+    ------------------------------
+    HIGH (0xC0000000)    
+    ==============================
 
 |
 
@@ -168,21 +178,35 @@ gdb를 통해 공유 라이브러리에 올라간 쉘코드 주소를 확인합
 
 |
 
-RET 주소를 공유 라이브러리 로드 주소로 변경하여 공격 진행
------------------------------------------------------------------------------
+shared libc 주소 쉘코드 실행
+------------------------------------------------------------------------------------------------------------
 
 .. code-block:: console
 
-    ================
+    shared libc ->> shellcode
+    ==============================
     LOW     
-    ----------------
-    shared libc
-    Buffer  (40byte) <- dummy*40
-    SFP     (4byte)  <- dummy*4
-    RET     (4byte)  <- shared libc 주소
-    ----------------
-    HIGH    
-    ================
+    ------------------------------
+    local variables of main
+    saved registers of main
+    return address of main <<- overflow
+    argc
+    argv
+    envp
+    stack from startup code
+    argc
+    argv pointers
+    NULL that ends argv[]
+    environment pointers
+    NULL that ends envp[]
+    ELF Auxiliary Table
+    argv strings
+    environment strings
+    program name
+    NULL
+    ------------------------------
+    HIGH (0xC0000000)
+    ==============================
 
 |