https://dreamhack.io/board/beta-feedback/129 The picture wasn't attached, so I left it on the feedback side, but there was no answer, so I'm posting it here again I would appreciate it if you could let me know what part I'm mistaken about.

When solving a problem, ` payload = “%p “*15 payload += p32 (getshell) ` I was able to obtain a shell by writing and running it this way. The size of heap_buf is 0x80, and the size of stack_buf is 0x90 If you execute it as written in the payload above heap_buf contains a size of 0xa0. Similarly, stack_buf also has 0

I tried using a solution such as basic_exploitation_002 where the address of the value to be changed is entered into the stack for the first time and the value is entered using %n for that address. There is a seg fault in sprintf. The reason for the segfault in the sprintf function is a string copied to the stack ex) AAAA%2050c... => 41414141202020202020202

The problem was solved successfully, but I would like to ask a question about the process. At first, I thought it would be similar to the previous question, and I wrote it like this: shell1 = 0x69 shell2 = 0x86 shell3 = 0x04 shell4 = 0x08 payload = p32 (printf_got) payload += p32 (printf_got + 1) Payloa

payload = b'%105c%7$hhn' + b'%29c%8$hhnaaa' + p32 (print_got) + p32 (print_got) + p32 (print_got+1) payload = p32 (print_got) + p32 (print_got+1) + b'%97c%1$hhn' + b'%29c%2$hhn' (1) In the case of a format string + address, a seg fault occurs

basic-exploitation-002 has the same symptoms. I have no idea. If you install Ubuntu 16.04 or x86 locally and run binary directly from there to inject the payload, you can also see that the return address is changed on gdb, but it dies when a seg fault occurs before going to get_shell. Identical payload

I think they often use the method of filling the buffer with the sprintf function and then covering it with ret address, but I like fsb's classic (?) I used the method of overwriting got in printf on the street. However, I have a few questions here, so I would like to ask you a question. The overall payload was written as follows: pay = b'aaaaa' pay += p32 (ove

This is a problem where Pi and Canary are disabled on ubuntu 16.04. #include <stdio.h> #include <stdlib.h> #include <signal.h> #include <unistd.h> void alarm_handler () { puts (“TIME OUT”); exit (-1); } void initialize () {

I'm trying to solve the problem by covering printf_got with get_shell I don't think fmtstr_payload is the only one that doesn't seem to be eating again, can you figure out why payload = fmtstr (1, {printf_got: get_shell}) I wrote it this way.

My knowledge was very short, so it was a bit difficult to solve because I was stuck in the basics. I'm asking about the payload configuration in this issue (link to the question: https://dreamhack.io/forum/qna/2530/) “Overwrite overwritten 0x69 by pay += b'%85c%4$hhn'. Since it's 4$, the 4 bytes on the 4th * 4th of pay (overw