[*] './heapfun4u'
Arch: amd64-64-little
RELRO: Partial RELRO
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import scapy, struct, socket, binascii, logging | |
from scapy.all import * | |
from collections import defaultdict | |
# | |
# Entry | |
# | |
def USBIP(PacketData): | |
if PacketData[:2] == '\x01\x11': |
The write-up is basically the exploit.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
# Here's the disassembly for everything | |
""" | |
0804844b <vulnerable_function>: | |
804844b: 55 push ebp | |
804844c: 89 e5 mov ebp,esp | |
804844e: 81 ec 88 00 00 00 sub esp,0x88 | |
8048454: 83 ec 04 sub esp,0x4 | |
8048457: 68 00 01 00 00 push 0x100 |
I hereby claim:
- I am zachriggle on github.
- I am zachriggle (https://keybase.io/zachriggle) on keybase.
- I have a public key ASBYNpGGwzmRUnRb5-fg2Qy7jdirdXG-ECeIbGP_Lv72oQo
To claim this, I am signing this object:
Lots of commands in GDB's protocol use hex-encoded data. A $
starts a packet, and all packets end with #
followed by a one-byte, hex-encoded checksum.
Let's look at the protocol for the request:
remote get /proc/self/cmdline ./cmdline
Which should fetch /proc/self/cmdline
and dump it to ./cmdline
. It does!
$ phd cmdline
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
# Set up pwntools to work with this binary | |
elf = context.binary = ELF('split') | |
# We need to invoke system("cat flag"), which requires knowing the | |
# location of both the function 'system' as well as the string 'cat flag'. | |
system = elf.symbols.system | |
cat_flag = elf.search("cat flag").next() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apt-get install python2.7-dev python2.7 | |
apt-get build-dep gdb | |
apt-get source gdb | |
sed -i -E "s|python3|/usr/bin/python2.7|" debian/rules | |
dpkg-buildpackage -uc -us -j8 | |
dpkg-install ../*.deb |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RARVM reversible/patchme | |
Modified 'unrar' source to dump context and disassembly. | |
Wrote two separate solvers since the challenge was broken. | |
To build the disassembler/debugger: | |
- unzip unrar-src-disassembler.zip -d unrar | |
- cd unrar |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#if 0 | |
.PHONY: run | |
run: a.out | |
@./a.out | |
a.out: $(MAKEFILE_LIST) | |
@gcc -xc $(MAKEFILE_LIST) | |
ifeq (0, 1) | |
#endif |