disconnect3d

# QIWI CTF 2016 reverse 3 [100 pts] solution
# The flag could have been calculated by hand, 
# but I've decided to write a brute force to train gdb scripting...
# (one had to see that input on particular index changed output on particular index linearly)

# thx to http://tromey.com/blog/?p=548
import gdb
import string

break_addr = 0x0000555555554B9F

disconnect3d

"""
Please see https://github.com/python/cpython/issues/74453#issuecomment-1500321322
for more details
"""
import tarfile
import os


cwd_name = os.path.basename(os.getcwd())

disconnect3d

CC=gcc
CFLAGS=-Wall -Wextra -Wpedantic
LDFLAGS=

SOURCES=$(wildcard *.c )
OBJECTS=$(SOURCES:.c=.o)
EXECUTABLE=exec

all: $(EXECUTABLE)
	./$(EXECUTABLE)

disconnect3d

#!/usr/bin/env python3

"""
This is exploit for the SEKAI CTF 2022 PWN Hello World challenge written by Disconnect3d from justCatTheFish

The exploit has few steps:
- leaks a libc address
- computes global canary/cookie address in tls
- uses buffer overflow to overwrite the canary and execute a very small ROP of 3 gadgets (as we can't do more)
- those 3 gadgets call a read(0, rsp - around 8000, 9000)

disconnect3d

This gist is a random compilation of Linux kernel repositories used by different companies.

Upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

Android:

• https://android.googlesource.com/kernel/common/

Google:

• ChromeOS - https://chromium.googlesource.com/chromiumos/third_party/kernel/

disconnect3d

Sprint Pwndbg (10.08.2022)

Hi! Witaj na stronie sprintu Pwndbg. Poniżej możesz przeczytać opisy przykładowych rzeczy, które można by dodać lub usprawnić w Pwndbg :).

• Repo projektu: https://github.com/pwndbg/pwndbg/

Zadania mają różną trudność i wymagają różnej wiedzy. Prostsze zadania mogą pomóc w rozeznaniu się w strukturze projektu lub różnych schematach, np. jak wygląda "komenda".

PS: Na samym dole dodałem kilka przykładów róznych API w Pwndbg, które mogą się przydać oraz informacji o samym GDB.

disconnect3d

D0cker

In this challenge, we connect to a server which spawns us a Docker container. On the filesystem, there is an oracle.sock with which we have to communicate and we have to find answers to its questions.

➜  pwn_docker git:(master) nc docker-ams32.nc.jctf.pro 1337

Access to this challenge is rate limited via hashcash!
Please use the following command to solve the Proof of Work:

disconnect3d

Debug with GDB on macOS 11

The big reason to do this is that LLDB has no ability to "follow-fork-mode child", in other words, a multi-process target that doesn't have a single-process mode (or, a bug that only manifests when in multi-process mode) is going to be difficult or impossible to debug, especially if you have to run the target over and over in order to make the bug manifest. If you have a repeatable bug, no big deal, break on the fork from the parent process and attach to the child in a second lldb instance. Otherwise, read on.

Install GDB

Don't make the mistake of thinking you can just brew install gdb. Currently this is version 10.2 and it's mostly broken, with at least two annoying bugs as of April 29th 2021, but the big one is https://sourceware.org/bugzilla/show_bug.cgi?id=24069

$ xcode-select install  # install the XCode command-line tools

disconnect3d

from subprocess import Popen, PIPE
import pty
import os
from select import select
import sys
import tty

master, slave = pty.openpty()
p = Popen(['python'], stdin=slave, stdout=PIPE, stderr=PIPE)
pin = os.fdopen(master, 'w')

disconnect3d

#!/usr/bin/env python
from pwn import *

if args.MOD:
    exe = context.binary = ELF('./a.out')  # my modified version  # the leak below works only on original
else:
    exe = context.binary = ELF('./uql')


def start(argv=[], *a, **kw):