c4e c4ebt

## ex-helpless.py
#!/usr/bin/python

# corCTF 2021 Helpless solution by c4e (author)
# there are many different techniques that can be used to solve Helpless because of
# the nature of the challenge (UAF, variety of sizes allowed)
# My solution uses a House of Rust smallbin variation and then finishes the exploit off
# with a standard __GI__IO_file_jumps fsop triggered with stdout.

# feel free to dm me on discord if you want to discuss the solution. c4e#1255

## ex-rusty.py
#!/usr/bin/python

# corCTF 2021 Rusty solution by c4e (author)
# this is the commented version of my rusty exploit
# I literally planned everything as I wrote it so hopefully the thought process I followed is
# understandable and you can have a laugh at some dumb stuff as well that I was too lazy to clean.

# The challenge got only 1 solve by M30W from team Dio. We talked about our solutions and they were
# pretty similar, except theirs made me realize how dumb I was thinking I needed a double poison null byte
# scenario to get a double overlap and work from there. That made my exploit way more painful than it

## sice-sice-baby-ex.py
#!/usr/bin/python
from pwn import *

context.log_level = "DEBUG"
#context.terminal = ['tmux', 'splitw', '-hp', '60']
libc = ELF("./libc.so.6")
elf = ELF("./sice_sice_baby")
#p = gdb.debug(elf.path, "c")
#p = process(elf.path)
p = remote("dicec.tf", 31914)
	#!/usr/bin/python

	# corCTF 2021 Helpless solution by c4e (author)
	# there are many different techniques that can be used to solve Helpless because of
	# the nature of the challenge (UAF, variety of sizes allowed)
	# My solution uses a House of Rust smallbin variation and then finishes the exploit off
	# with a standard __GI__IO_file_jumps fsop triggered with stdout.

	# feel free to dm me on discord if you want to discuss the solution. c4e#1255
	#!/usr/bin/python

	# corCTF 2021 Rusty solution by c4e (author)
	# this is the commented version of my rusty exploit
	# I literally planned everything as I wrote it so hopefully the thought process I followed is
	# understandable and you can have a laugh at some dumb stuff as well that I was too lazy to clean.

	# The challenge got only 1 solve by M30W from team Dio. We talked about our solutions and they were
	# pretty similar, except theirs made me realize how dumb I was thinking I needed a double poison null byte
	# scenario to get a double overlap and work from there. That made my exploit way more painful than it
	#!/usr/bin/python
	from pwn import *

	context.log_level = "DEBUG"
	#context.terminal = ['tmux', 'splitw', '-hp', '60']
	libc = ELF("./libc.so.6")
	elf = ELF("./sice_sice_baby")
	#p = gdb.debug(elf.path, "c")
	#p = process(elf.path)
	p = remote("dicec.tf", 31914)