Skip to content

Instantly share code, notes, and snippets.

@gavz

gavz/Readme.md

Forked from sroettger/Readme.md
Created October 15, 2017 13:24
Show Gist options
  • Save gavz/095e966ee4e5d7a58038b82ec35c0ab9 to your computer and use it in GitHub Desktop.
Save gavz/095e966ee4e5d7a58038b82ec35c0ab9 to your computer and use it in GitHub Desktop.
Download ZIP
Set Theory (part 1) from Hack Dat Kiwi 2017 CTF.
Raw
Readme.md

This challenge gave parts of the points as soon as you find a crash in the binary, which was a forking network service. With a short LD_PRELOAD library, you can bypass all the networking code and fuzz the handler function directly with afl using the qemu mode.

The basic steps:

  1. find a libc function that gets called after all initialization is done and overwrite it. Alternatively: define a constructor and do the initialization yourself
  2. for position-independent executables, find the load address with dl_iterate_phdr
  3. call whatever function you want to fuzz in the binary
  4. run afl with -Q and AFL_PRELOAD
AFL_PRELOAD=./libpreload.so afl-fuzz -i testcase_dir -o findings_dir -Q -- ./server
Raw
libpreload.c
#include <signal.h>
#include <unistd.h>
typedef void (*sighandler_t)(int);
sighandler_t signal(int signum, sighandler_t handler) {
void (*fn)() = (void (*)())0x404310;
fn();
_exit(0);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment