tl;dr - use UAF in sell_car
to fastbin attack and overwrite __malloc_hook
with one_gadget.
I heard glibc malloc is fast. But not as fast as these cars.
Challenge author: k1R4
#!/usr/bin/env python3 | |
from dn3 import * | |
opcodes = { | |
"ADD": 0xb0, | |
"SUB": 0xb1, | |
"MUL": 0xb2, | |
"SHR": 0xb3, | |
"SHL": 0xb4, | |
"PUSH": 0xb5, |
#define _GNU_SOURCE | |
#include <sys/ioctl.h> | |
#include <fcntl.h> | |
#include <unistd.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
typedef struct | |
{ |
#include <linux/signal.h> | |
#include <linux/virtio.h> | |
#include <linux/virtio_config.h> | |
#include <asm/page_types.h> | |
#include <linux/kernel.h> | |
#include <linux/module.h> | |
#include <linux/device.h> | |
#include <linux/mutex.h> | |
#include <linux/fs.h> | |
#include <linux/slab.h> |
#define _GNU_SOURCE | |
#include <string.h> | |
#include <stdarg.h> | |
#include <stdio.h> | |
#include <sys/types.h> | |
#include <fcntl.h> | |
#include <sched.h> | |
#include <sys/syscall.h> | |
#include <sys/ioctl.h> | |
#include <unistd.h> |
#!/usr/bin/env python3 | |
from dn3 import * | |
exe = ELF("chall") | |
libc = ELF("libc.so.6") | |
ctx.binary = exe | |
ctx.terminal = "st".split() | |
#ctx.log = 0 |
# flake8: noqa | |
#!/usr/bin/env python3 | |
from dn3 import * | |
exe = ELF("math-door") | |
libc = ELF("libc.so.6") | |
ctx.binary = exe | |
ctx.terminal = "tmux new-window".split() | |
#ctx.log = 0 |
#!/usr/bin/env python3 | |
from dn3 import * | |
from pwn import ELF | |
from binascii import hexlify | |
libc = ELF("libc-2.31.so", checksec=False) | |
#opcodes | |
LUI_ = 0x37 | |
LTYPE = 0x3 |
from dn3 import * | |
libc = ELF("lib/libc.so.6") | |
#context.log = 0 | |
context.terminal = "tmux new-window".split() | |
breakpoints = ''' | |
b init_vm | |
c |
#define _GNU_SOURCE | |
#include <stdio.h> | |
#include <sys/types.h> | |
#include <sys/stat.h> | |
#include <fcntl.h> | |
#include <sched.h> | |
#include <sys/mman.h> | |
#include <signal.h> | |
#include <sys/syscall.h> | |
#include <sys/ioctl.h> |
tl;dr - use UAF in sell_car
to fastbin attack and overwrite __malloc_hook
with one_gadget.
I heard glibc malloc is fast. But not as fast as these cars.
Challenge author: k1R4