CTF

· CTF/2018
Category : pwnable Summary : qemu escape Exploit#include #include #include #include #include #include #include #include #include #define OOO_ALLOCATE 0x000000 #define OOO_FREE 0x100000 #define OOO_WRITE 0x200000 #define MAP_SIZE 0x1000000 #define OOO_BIN_BASE 0x1317940 #define FREE_GOT 0x11301a0 #define OOO_MAGIC_GADGET 0x6e65f9 int fd; char *mmio; uint64_t ooo_read(uint32_t idx, uint32_t offset..
· CTF/2017
Category : pwnable Summary : qemu escape Exploit #include #include #include #include #include #include #include #include #include #include #define IOMEM_A 0xfe900000 #define IOMEM_B 0xfea00000 #define IOPORT_A 0xc000 #define IOPORT_B 0xc100 #define MMIO_SRC 0x04 #define MMIO_DST 0x08 #define MMIO_COPY 0x20 #define MMIO_CMD 0x24 #define MMIO_TIMER 0x80 #define MMIO_EXPIRE_LO 0x88 #define MMIO_EXP..
· CTF/2017
Category : pwnable Summary : qemu escape Exploit #include #include #include #include #include #include #include #include #include #include #define SRC_LO 0x80 #define SRC_HI 0x84 #define DST_LO 0x88 #define DST_HI 0x8c #define CNT 0x90 #define TIMER 0x98 #define TIMER_READ 0x1 #define TIMER_WRITE 0x3 #define TIMER_ENC 0x4 #define MAP_SIZE 0x1000 #define PAGE_SHIFT 12 #define PAGE_SIZE (1 enc = s..
· CTF/2018
Category : pwnable Summary : uaf, tcache, show function, confusion between tcache and fastbin, 2 notes Exploit#!/usr/bin/python from pwn import * def cmd_add(data): ru('Your choice:') ss('1\x00') ru('Input the content:') ss(data) ru('Done!\n') def cmd_edit(idx, data): ru('Your choice:') ss('2\x00') ru('Input the idx:') ss(str(idx)+'\x00') ru('Input the content:') ss(data) ru('Done!\n') def cmd_d..
· CTF/2018
Category : pwnable secret_message 494 2 Solves Let's share a secret with us nc secret-message.pwn.seccon.jp 31337 (Hint: We allow a "little" bruteforcing to secret_message only.)Summary : ascii art, out of boundary, double staged format string attack, * precision, fread, fwrite Off by one 취약점으로 해겨해야 하는줄 알고 초반에 방향 잘못 잡았던 문제. fsb 로 취약점으로 풀이가능하다. 문제 description에서 "little" brute force를 허용해주는 것으로..
· CTF/2018
Category : pwnable Summary : race condition, heap overflow, no free, top chunk into fastbin Race condition 풀이 추가 예정 Exploit#!/usr/bin/python from pwn import * def cmd_add(times, **arg): ru('>> ') sl('1') ru('How many chunks at a time (1/2) ? ') sl(str(times)) if times == 2: # thread-1 ru('\nEnter Size 1: ') sl(str(arg['size'][0])) ru('\nEnter Author name : ') time.sleep(5) # thread-2 ru('\nEnter..
· CTF/2018
Category : pwnable Summary : heap Exploit #!/usr/bin/python from pwn import * def cmd_add(name, desc): ru('>> ') sl('1') ru('Enter name: ') sl(name) ru('Enter desc: ') if desc: sl(desc) def cmd_edit(idx, name, size, desc): ru('>> ') sl('2') ru('Enter index: ') sl(str(idx)) ru('Enter name: ') ss(name) ru('Enter size: ') sl(str(size)) ru('Enter desc: ') ss(desc) def cmd_remove(idx): ru('>> ') sl('..
· CTF/2018
Category : pwnable SimpleMemo 494 2 Solves Host: smemo.pwn.seccon.jp Port: 36384Summary : seccomp bypass, orig_rax 간만에 first blood 획득한 문제. 쓸데없는 삽질로 시간을 2배는 소요했다. google ctf 갔던 팀들이 나왔으면 못 땄을듯. 삽질 시간을 더 줄여야한다. 1. Vulnerability 1.1. Concept memo를 add/show/delete 하는 기능을 가진 바이너리. 바이너리 구조는 굉장히 간단하다. size 0x28의 heap chunk를 선언하여 사용자의 입력을 받고 해당 chunk의 주소를 memo_table에 저장한다. 1.2. OOB memo access -> arbitra..
pwn3r_45
'CTF' 카테고리의 글 목록 (3 Page)