I hereby claim:
- I am itszn on github.
- I am itszn (https://keybase.io/itszn) on keybase.
- I have a public key ASAk2FcK4Zc6VAbULYP0m6uMVMTTBV1Cjr5QEL-4YsLlzgo
To claim this, I am signing this object:
301345b6e7e96c9d37137fbcab602685178e922c81e5da545c7958d9cd3315e9 |
I hereby claim:
To claim this, I am signing this object:
from timeit import timeit | |
from ctypes import * | |
''' | |
libc = CDLL('libc.so.6') | |
libc.mprotect(0x400000,0x1000,7) | |
s = "e810000000303132333435363738394142434445465b803f007437c6065c48ffc6c6067848ffc68a074825ff00000048c1e8044801d88a00880648ffc68a074883e00f4801d88a00880648ffc648ffc7ebc4c3".decode('hex') | |
#s = "\xc3" | |
libc.memcpy(0x400000, c_char_p(s),len(s)) |
This challenge was a source only pwnable based on a aliasing bug with -O2. Also not all the source code was given. | |
Intended solution outline: | |
- In the source in assignVotes, a voter and a candidate can become aliased, and -02 optimization causes an incorrect return value. | |
o If the person is the same as the candidate, it sets the voteMessage to a constant string, which should change votesToGive as well, but the return is incorrect, so it instead returns the original votesToGive value. | |
o Then when going to print the error message, it instead tries print the votes (if it is > than the address of main) | |
o This will print what ever point is given, allowing memory to be leaked up to a null | |
- Now with an arbitrary read, we can dump the binary and reverse the missing code. | |
- We can also leak libc addresses and dump libc (or take it from some other challenge) |
This challenge required that you write cheats for a minecraft clone to bypass a large wall | |
There are tons of ways to solve this, but here was the main idea. | |
- There was a function that would on the client side return if a player has certain privileges. | |
- Most of these were checked by the server as well, with the exception of fly and noclip (and speed walk to an extent) | |
o Also note, I didn't modify the server to ignore these, Minetest servers just do ¯\_(ツ)_/¯ | |
- You can patch this function to return true, and the client can now toggle these abilities. | |
However the binary had extra anti-cheat built in |