session:solution:10
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| session:solution:10 [2015/07/07 17:00] – Razvan Deaconescu | session:solution:10 [2020/07/19 09:49] (current) – external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Session 10 Solutions ====== | ====== Session 10 Solutions ====== | ||
| - | ===== ret-to-libc ===== | + | ===== ret-to-plt ===== |
| - | TODO | + | Idea: The stack would need to look like: |
| + | * address of puts (in place of the return address) | ||
| + | * address of exit | ||
| + | * argument to puts call (address of string) | ||
| - | ===== ret-to-plt ===== | + | ===== ret-to-libc ===== |
| + | |||
| + | Idea: The stack would need to look like: | ||
| + | * address of system (in place of the return address) | ||
| + | * address of exit | ||
| + | * argument to system call (address of string) | ||
| - | TODO | + | To find the '' |
| ===== Brute Force ===== | ===== Brute Force ===== | ||
| - | TODO | + | Idea: Used fixed addresses for '' |
| ===== mprotect ===== | ===== mprotect ===== | ||
| - | TODO | + | Idea: The stack would need to look like: |
| + | * address of '' | ||
| + | * address of buffer start (where the shellcode is located) | ||
| + | * first argument of '' | ||
| + | * 2nd argument of '' | ||
| + | ... | ||
session/solution/10.1436288417.txt.gz · Last modified: by Razvan Deaconescu