Outils pour utilisateurs

Outils du site


ctf:public:hackover2016:tiny_backdoor_v2

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentes Révision précédente
ctf:public:hackover2016:tiny_backdoor_v2 [2016/10/22 21:43]
arthaum
ctf:public:hackover2016:tiny_backdoor_v2 [2016/10/22 22:29] (Version actuelle)
arthaum
Ligne 13: Ligne 13:
 This challenge is based on [[ctf:​public:​hackover2016:​tiny_backdoor_v1|tiny_backdoor_v1]]. The only difference is that the program calls ''​mprotect(0x600000,​ 0x1000, PROT_READ | PROT_EXEC)''​ before running our shellcode. This challenge is based on [[ctf:​public:​hackover2016:​tiny_backdoor_v1|tiny_backdoor_v1]]. The only difference is that the program calls ''​mprotect(0x600000,​ 0x1000, PROT_READ | PROT_EXEC)''​ before running our shellcode.
  
-The method I used for tiny_backdoor_v1 doesn'​t work anymore because the memory segment at ''​0x600000''​ is no more writeable. I had to come up with a new idea.+The method I used for tiny_backdoor_v1 doesn'​t work anymore because the memory segment at ''​0x600000''​ is no longer ​writeable. I had to come up with a new idea.
  
 My first thought was to write on the stack instead, and then use ROP. Here is my shellcode: My first thought was to write on the stack instead, and then use ROP. Here is my shellcode:
Ligne 36: Ligne 36:
 </​code>​ </​code>​
  
-got another idea. My shellcode itself contains a gadget! That is: ''​pop rsi; syscall; ret''​. This one is kind of useless because we already have it a ''​0x400152''​. The thing is, it gave me the idea of rearranging my shellcode to provide a better gadget. Here is my new shellcode:+had another idea. My shellcode itself contains a gadget! That is: ''​pop rsi; syscall; ret''​. This one is kind of useless because we already have it a ''​0x400152''​. The thing is, it gave me the idea of rearranging my shellcode to provide a better gadget. Here is my new shellcode:
  
 <​code>​ <​code>​
ctf/public/hackover2016/tiny_backdoor_v2.txt · Dernière modification: 2016/10/22 22:29 par arthaum