c4ebt
/ sice-sice-baby-ex.py
Last active
February 8, 2021 04:49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from pwn import * | |
| context.log_level = "DEBUG" | |
| #context.terminal = ['tmux', 'splitw', '-hp', '60'] | |
| libc = ELF("./libc.so.6") | |
| elf = ELF("./sice_sice_baby") | |
| #p = gdb.debug(elf.path, "c") | |
| #p = process(elf.path) | |
| p = remote("dicec.tf", 31914) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # corCTF 2021 Rusty solution by c4e (author) | |
| # this is the commented version of my rusty exploit | |
| # I literally planned everything as I wrote it so hopefully the thought process I followed is | |
| # understandable and you can have a laugh at some dumb stuff as well that I was too lazy to clean. | |
| # The challenge got only 1 solve by M30W from team Dio. We talked about our solutions and they were | |
| # pretty similar, except theirs made me realize how dumb I was thinking I needed a double poison null byte | |
| # scenario to get a double overlap and work from there. That made my exploit way more painful than it |
c4ebt
/ ex-helpless.py
Last active
December 6, 2022 20:04
corCTF 2021 Helpless solution by c4e (author)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # corCTF 2021 Helpless solution by c4e (author) | |
| # there are many different techniques that can be used to solve Helpless because of | |
| # the nature of the challenge (UAF, variety of sizes allowed) | |
| # My solution uses a House of Rust smallbin variation and then finishes the exploit off | |
| # with a standard __GI__IO_file_jumps fsop triggered with stdout. | |
| # feel free to dm me on discord if you want to discuss the solution. c4e#1255 |