Skip to content

Instantly share code, notes, and snippets.

@sroettger
sroettger / 300.py
Last active Dec 28, 2018
One solution for the 34c3ctf's 300 heap challenge.
View 300.py
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# The 300 challenge was a heap challenge that allowed you to make allocations of size 0x300.
# You could free allocations and read/write to them even after they got freed.
# The tricky part about the challenge was that you don't control the size and can't for example use the usual fastbin techniques.
# This exploit overwrites the check_action variable so that the libc doesn't abort on errors anymore.
# Afterwards we can get a write-what-where primitive using unsafe unlink.
@sroettger
sroettger / Readme.md
Last active Jan 2, 2019
Set Theory (part 1) from Hack Dat Kiwi 2017 CTF.
View Readme.md

This challenge gave parts of the points as soon as you find a crash in the binary, which was a forking network service. With a short LD_PRELOAD library, you can bypass all the networking code and fuzz the handler function directly with afl using the qemu mode.

The basic steps:

  1. find a libc function that gets called after all initialization is done and overwrite it. Alternatively: define a constructor and do the initialization yourself
  2. for position-independent executables, find the load address with dl_iterate_phdr
  3. call whatever function you want to fuzz in the binary
  4. run afl with -Q and AFL_PRELOAD
@sroettger
sroettger / libpreload.c
Created Oct 15, 2017
Set Theory from Hack Dat Kiwi 2017 CTF.
View libpreload.c
#include <signal.h>
#include <unistd.h>
typedef void (*sighandler_t)(int);
sighandler_t signal(int signum, sighandler_t handler) {
void (*fn)() = (void (*)())0x404310;
fn();
_exit(0);
}
@sroettger
sroettger / secuvps.md
Created Jul 10, 2016
Secuinside SecuVPS writeup
View secuvps.md

SecuVPS was another pwning challenge (though it was marked as misc).

You had a website where you could download a patched ssh client including the sources and luckily they even told you the original source repo of the code they used. That made finding the diff easy: git clone the original repo, replace the code with the patched files and take a look at git diff. There were two changes:

  • a function in the packet handling that checks for packet type 94 and gives you an arbitrary write
  • the banner was changed to include two info leaks, a pointer from the binary and a pointer from the stack

Since we don't want to reimplement the ssh protocol, let's reuse the ssh code that we got. Compile your own sshd, run it with in verbose mode and connect against it with the vulnerable ssh binary. You'll see some messages abuot key exchange packets and one that prints "no match: $BANNER". So we can find these messages in the source and put our exploit code there. I.e. where it says "no match" we parse the info leak and in

@sroettger
sroettger / noted.md
Created Jul 10, 2016
Secuinside noted writeup
View noted.md

Noted was a 32bit pwnable that read / write notes which are backed by files on the disk. Every file started with a 16 byte password and then you were able to write up to 0x400 bytes to the file. When editing notes, you were allowed to write as many bytes to the file as it contained previously, but the buffer had a fixed size. So if you'd find a way to create a file that is bigger than 0x400 bytes then you'd have a straight forward stack overflow. The bug was in the way the length check worked and the mandatory 16 byte password at the beginning. If you create a file that only contained the password, the length check would underflow and allow you to write (unsigned) -1 bytes to the file / local buffer. The same code would also leak the stack content to you.

From there it was slightly complicated rop since I didn't figure out how to use the plt on x86. First leak the libc address from the got by jumping to one of the puts calls in the binary. On the next return we can gain code execution again by having the ebp

@sroettger
sroettger / doit.py
Created Jun 6, 2016
alictf starcraft exploit
View doit.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import struct
import sys
import struct
import pwn
from find_offset import get_libc_off, MyException
@sroettger
sroettger / js_sandbox.js
Created Apr 17, 2016
Exploit for the js_sandbox challenge of Plaid CTF 2016
View js_sandbox.js
with (true) {
// f() will allocate a buggy JSArray. The length is set to 24 but the capacity is only 16.
// take a look at JSCreateLowering::ReduceJSCreateArray to see why this is happening
function f(){
var x = 8;
var y = 0xffffffff;
var ind = x & y;
x = 16;
y = 0xffffffff;
var ind2 = ind + (x&y);
You can’t perform that action at this time.