dragons_ctf

Recommendations

Info

__stack_chk_fail *** stack smashing detected ***: ./test_32 terminated ======= Backtrace: ========= /lib32/libc.so.6(__fortify_fail+0x50)[0xf75c8b70] /lib32/libc.so.6(+0xe2b1a)[0xf75c8b1a] ./test_32[0x8048550] /lib32/libc.so.6(__libc_start_main+0xe6)[0xf74fcca6] ./test_32[0x8048471] ======= Memory map: ======== 08048000-08049000 r-xp 00000000 08:01 23334379 /home/j00ru/ssp_test/test_32 08049000-0804a000 rw-p 00000000 08:01 23334379 /home/j00ru/ssp_test/test_32 09f20000-09f41000 rw-p 00000000 00:00 0 [heap] f74e5000-f74e6000 rw-p 00000000 00:00 0 […] f7760000-f7767000 rw-p 00000000 00:00 0 f7772000-f7774000 rw-p 00000000 00:00 0 f7774000-f7775000 r-xp 00000000 00:00 0 [vdso] f7775000-f7791000 r-xp 00000000 08:01 27131910 /lib32/ld-2.11.3.so f7791000-f7792000 r--p 0001b000 08:01 27131910 /lib32/ld-2.11.3.so f7792000-f7793000 rw-p 0001c000 08:01 27131910 /lib32/ld-2.11.3.so ff9bc000-ff9d1000 rw-p 00000000 00:00 0 [stack] Aborted
__stack_chk_fail void __attribute__ ((noreturn)) __stack_chk_fail (void) { __fortify_fail ("stack smashing detected"); }
Page 1 and 2: Pwning (sometimes) with style Drago
Page 3 and 4: Dragon Sector? Insomni'hack 2014 Ge
Page 5 and 6: Agenda
Page 7 and 8: The SSP leak • Stack Smashing Pro
Page 9 and 10: SSP basics - canary verification
Page 11: __stack_chk_fail *** stack smashing
Page 15 and 16: The argv array is at the top of the
Page 17 and 18: We can overwrite it, too! $ ./test_
Page 19 and 20: Very powerful memory disclosure •
Page 21: References 1. Dan Rosenberg, Fun wi
Page 24 and 25: Remote KG Task: Given a PCAP file,
Page 26 and 27: Remote KG So… what is this protoc
Page 28 and 29: Remote KG Next steps: ● write a p
Page 30: JS Puzzle Event: Organizers: SECCON
Page 34 and 35: One-gadget RCE on Linux • Assumin
Page 36 and 37: One-gadget RCE on Linux • An exec
Page 38 and 39: One-gadget RCE on Linux If std{out,
Page 40 and 41: I/O redirection /bin/sh &N • By d
Page 42 and 43: One-gadget RCE on Windows • In GN
Page 44 and 45: One-gadget RCE on Windows • There
Page 46: LoadLibrary(“\\11.22.33.44\payloa
Page 49 and 50: zfs Problem 1: Nothing wants to mou
Page 52 and 53: zfs ● xor_key ● key.xor_encrypt
Page 54 and 55: zfs ● Gynvael’s way: Brute forc
Page 56 and 57: zfs Minimizing input - assume that
Page 58 and 59: zfs
Page 60 and 61: zfs
Page 64 and 65:
And about system()… • How do we
Page 66 and 67:
Getting remote shell • Otherwise,
Page 68 and 69:
With this, we can… • Leak the a
Page 70 and 71:
libcdb.com
Page 72 and 73:
There’s another way, too • If w
Page 74:
Other teams do it, as well Quote fr
Page 77 and 78:
World Wide Something ^_- TL;DR: .pc
Page 79 and 80:
World Wide Something ^_- Let's recr
Page 82 and 83:
ROP gadgets near libc imports • E
Page 84 and 85:
ROP gadgets near libc imports • 1
Page 86 and 87:
ROP gadgets near libc imports • S
Page 88 and 89:
Partial .got.plt overwrites • If
Page 90:
Brute-forcing ASLR • ASLR on popu
Page 94 and 95:
Format String Fun Typical exploitat
Page 96 and 97:
Even More Format String Fun! Assume
Page 98 and 99:
Even More Format String Fun! printf
Page 101 and 102:
Getting read / recv to fail Imagine
Page 103 and 104:
One-sided connection termination
Page 105:
One-sided connection termination By
Page 108 and 109:
Mumble Mumble high entropy
Page 110 and 111:
Mumble Mumble Approach change: 1. A
Page 112 and 113:
Mumble Mumble
Page 114 and 115:
Mumble Mumble ...- -... .-. -- -.--
Page 117 and 118:
Patching vs instrumentation ● ●
Page 119 and 120:
0x90 Event: SIGINT CTF 2013 Organiz
Page 121 and 122:
0x90 • We decided to run the bina
Page 123 and 124:
It worked! Bochs log console
Page 125 and 126:
Conclusions • CTFs are really fun
show all

dragons_ctf

Create successful ePaper yourself

Delete template?

Save as template?