ihciah

Pwnable.kr md5 calculator writeup

[email protected]

In process_hash, the size of input is 1024, the size after b64d is 512, however, it should be 1024*3/4, so there's a buffer overflow here.

Because of the stack canary, we can do nothing. I was confused here until I noticed the canary is also used in my_hash to generate random number. Since the canary is gs:0x14, it's always the same in all function calls.

We can calculate the canary value from the captcha because the seed of randomization is the current time, we can fetch it from http request to http://pwnable.kr.

After trying input b64e("AAAA"*(768/4)) to the program, jump to pass the canary check and break at ret, we can notice that the top of stack is AAAA....

rueycheng

GNU Make Cheatsheet

Based on https://www.gnu.org/software/make/manual/html_node/Quick-Reference.html

Directives

Directive	Description
define variable define variable = define variable := define variable ::= define variable += define variable ?= endef	Define multi-line variables.
undefine variable	Undefining variables.

ricardo2197

0ctf babystack with return-to dl-resolve

In this write-up I will discuss how I managed to solve the challenge "babystack" from 0ctf with a technique called return to dl-resolve. I did not know this kind of return-to attack before the contest. In the following sections a detailed explanation of the entire exploit will be presented.

1. Binary analysis

I downloaded the provided binary babystack and quickly fired up binaryninja alongside with gdb to analyze it. I quickly realized a buffer overflow vulnerability is present within sub_804843b. My first approach was to solve this challenge using a return-to-libc attack by leaking the base address of the library and call system in order to get a shell.
This technique is contingent on:

1. Leaking libc base address
2. Knowing the version of libc to get the offset of system.

However, the version of libc on the remote server was unknown and the ELF did not provide any function that can be us