Skip to content

Instantly share code, notes, and snippets.

@sroettger

sroettger/Readme.md

Last active January 2, 2019 10:02
Show Gist options
  • Save sroettger/50e0333e006cafa9c7a277a435fa2330 to your computer and use it in GitHub Desktop.
Save sroettger/50e0333e006cafa9c7a277a435fa2330 to your computer and use it in GitHub Desktop.
Download ZIP
Set Theory (part 1) from Hack Dat Kiwi 2017 CTF.
Raw
Readme.md

This challenge gave parts of the points as soon as you find a crash in the binary, which was a forking network service. With a short LD_PRELOAD library, you can bypass all the networking code and fuzz the handler function directly with afl using the qemu mode.

The basic steps:

  1. find a libc function that gets called after all initialization is done and overwrite it. Alternatively: define a constructor and do the initialization yourself
  2. for position-independent executables, find the load address with dl_iterate_phdr
  3. call whatever function you want to fuzz in the binary
  4. run afl with -Q and AFL_PRELOAD
AFL_PRELOAD=./libpreload.so afl-fuzz -i testcase_dir -o findings_dir -Q -- ./server
Raw
libpreload.c
#include <signal.h>
#include <unistd.h>
typedef void (*sighandler_t)(int);
sighandler_t signal(int signum, sighandler_t handler) {
void (*fn)() = (void (*)())0x404310;
fn();
_exit(0);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment