Skip to content

Instantly share code, notes, and snippets.

kaftejiman /
Last active March 22, 2024 23:34
ret2csu exploitation technique ROP pwn


I wanted to make a clean and simple explanation of ret2csu exploitation technique as I didnt get it easily with the ressources I found on google. As far as my understanding goes. You should take it with a grain of salt.

Tests carried on a AMD64 Linux Ubuntu.

Table of Contents

kaftejiman /
Created February 15, 2021 00:43
pimp my exploit *recommended for you, yes you*
  1. Create this file speak.bat (this example is on windows, change accordingly in your OS)
@echo off
for /F "tokens=*" %%a in ('more') do (
        PowerShell -Command "Add-Type -AssemblyName System.Speech; (New-Object System.Speech.Synthesis.SpeechSynthesizer).Speak('"%%a"');"
        PowerShell -Command "Add-Type -AssemblyName System.Speech; (New-Object System.Speech.Synthesis.SpeechSynthesizer).Speak('haxored! haxored! haxored! haxored! haxored! haxored!');"
  1. Add said created file to your PATH.
kaftejiman /
Last active January 18, 2021 14:55
Write up for The Vault challenge from BambooCTF 2021

BambooFox CTF 2021 - The Vault

Given a webpage displaying a keypad index.html, javascript driver file main.js and webassembly compiled binary wasm, you are supposed to find the pin that unlocks the vault.

Blackbox approach

Without dealing with the wasm binary at first, reading through main.js specifically between lines 18 and 25 there seems to be some environment validations and checks.