gdb-peda$ telescope $sp 20
00:0000| esp 0xffffdef0 --> 0x4 argc
01:0004| 0xffffdef4 --> 0xffffdfd3 ("arg0") argv[]
02:0008| 0xffffdef8 --> 0xffffdfd8 ("arg1")
03:0012| 0xffffdefc --> 0xffffdfdd ("arg2")
04:0016| 0xffffdf00 --> 0xffffdfe2 ("arg3")
05:0020| 0xffffdf04 --> 0x0 end of argv[]
06:0024| 0xffffdf08 --> 0xffffdfe7 ("env0") envp[]
07:0028| 0xffffdf0c --> 0xffffdfec ("env1")
View shell.py
| #!/usr/bin/env python2 | |
| # | |
| # CVE-2014-6271 reverse shell | |
| # | |
| # Same as all the others, just showing off some pwntools. | |
| # | |
| # Usage: | |
| # python shell.py http://host/cgi-bin/script.sh | |
| # python shell.py http://host/cgi-bin/script.sh PORT=12345 | |
| # |
View stack.md
ebeip90
/ README-ll.md
Last active Aug 29, 2015
View README-ll.md
ll
Simple shellcoding challenge from a Raytheon SI hiring/meet-greet/CTF event.
Basically, you provide data four bytes at a time. This is stored in an 8-byte allocation. The second 4 bytes of the allocation are a pointer to the next allocation.
The challenge is less difficult than it first appears. Looking at the x86 opcodes, there's no way to do a direct JMP or CALL. However, because of the heap layout, you can just do 'jmp $+offset'.
The remaining difficulty is then doing stuff with 2-byte opcodes. I chose to rewrite the pwntools* pushstr method to do it with just 2-byte opcodes by INCing and SHIFTing and PUSHing eax.
View README.md
29C3 CTF - ru1337
Looking for some things to keep me busy since we didn't qual for DEFCON this year :(.
This is an exploitation challenge from the Chaos Computer Conference 29. Let's take a look.
Initial Survey
checksec tells us that we don't have to worry about ASLR or stack canaries.
View CodeGate-2013-Vuln-400-README.md
Codegate 2013 Vuln 400 Writeup
Initial Investigation
Cool, we're actually getting to something with mitigations!
checksec.sh --file 7b80d4d56c282a310297336752c589b7
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH 7b80d4d56c282a310297336752c589b7
View CodeGate-2013-Vuln-300-README.md
Codegate 2013 Vuln 300 Writeup
Initial Analysis
The binary accepts data over stdin/stdout, and spits back at you a bunch of printable characters, appended with a number of your choosing.
$ checksec.sh --file 8ff953dd97c4405234a04291dee39e0b
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
No RELRO No canary found NX disabled No PIE No RPATH No RUNPATH 8ff953dd97c4405234a04291dee39e0b
$ file 8ff953dd97c4405234a04291dee39e0b
ebeip90
/ CodeGate-2013-Vuln-200-README.md
Last active Aug 29, 2015
CodeGate-2013-Vuln-200-README.md
View CodeGate-2013-Vuln-200-README.md
Codegate 2013 Vuln 200 Writeup
Initial Analysis
It's a 32-bit binary with no mitigations.
$ file ./94dd6790cbf7ebfc5b28cc289c480e5e
./94dd6790cbf7ebfc5b28cc289c480e5e: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xce5456409e1bfe207cd58c5b77ce99125d3b8d0f, stripped
$ checksec.sh --file 94dd6790cbf7ebfc5b28cc289c480e5e
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
View CodeGate-2013-Vuln-100-README.md
Codegate 2013 Vuln 100 Writeup
Initial Investigation
Simple forking server listens on port 6666.
$ checksec.sh --file ./94dd6790cbf7ebfc5b28cc289c480e5e
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO No canary found NX disabled No PIE No RPATH No RUNPATH ./94dd6790cbf7ebfc5b28cc289c480e5e