session:solution:10
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
session:solution:10 [2015/07/07 17:00] – Razvan Deaconescu | session:solution:10 [2020/07/19 09:49] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Session 10 Solutions ====== | ====== Session 10 Solutions ====== | ||
- | ===== ret-to-libc ===== | + | ===== ret-to-plt ===== |
- | TODO | + | Idea: The stack would need to look like: |
+ | * address of puts (in place of the return address) | ||
+ | * address of exit | ||
+ | * argument to puts call (address of string) | ||
- | ===== ret-to-plt ===== | + | ===== ret-to-libc ===== |
+ | |||
+ | Idea: The stack would need to look like: | ||
+ | * address of system (in place of the return address) | ||
+ | * address of exit | ||
+ | * argument to system call (address of string) | ||
- | TODO | + | To find the '' |
===== Brute Force ===== | ===== Brute Force ===== | ||
- | TODO | + | Idea: Used fixed addresses for '' |
===== mprotect ===== | ===== mprotect ===== | ||
- | TODO | + | Idea: The stack would need to look like: |
+ | * address of '' | ||
+ | * address of buffer start (where the shellcode is located) | ||
+ | * first argument of '' | ||
+ | * 2nd argument of '' | ||
+ | ... | ||
session/solution/10.1436288417.txt.gz · Last modified: by Razvan Deaconescu