Alec Petridis chop0

lemon gallery

this was the first of two challenges in the gunnhacks 7.0 ctf; the bug is a buffer overflow, with aslr, nx, and stack protection disabled. also it's stripped and the section headers are a bit fucked up >:). it's statically linked, and does not have libc.

the lemons have revolted in the lemon gallery due to abysmal working conditions and forced labour. they've put up a blockade which seems almost inpenetrable; i can't even find the libc version! connect with nc shell.ctf.gunnhacks.com 45753.

we can run pwn checksec to get an idea of what security features the binary has: alright. if we can overflow a buffer, we might be able to jump straight to our shellcode. let's take a look in gdb (using starti to immediately break when the program starts). ![disassembly](https://chop0.i

Page edit divison

A Pen by Opher Vishnia on CodePen.

License.

	#include <stdio.h>
	#include <string.h>
	#include <stdlib.h>

	#include "parse.h"

	#define BUFSIZE 256

	FILE* open_map() {
	FILE* ver = fopen("/proc/version", "r");

	zone/zone-list.h: // zone-allocated objects for which destructors are not called anyway, so
	ast/scopes.cc: // scope and we terminate the iteration there anyway.
	ast/scopes.cc: // in the outer scope anyway, because if a binding exists in an outer
	ast/scopes.h: // Sloppy eval in script scopes can only introduce global variables anyway,
	ast/scopes.h: // isn't extendable anyway, or
	heap/memory-chunk.cc: // Not actually used but initialize anyway for predictability.
	heap/cppgc/heap-page.cc: // for the first header which will anyways serve as header again.
	heap/heap.cc: // This is an optimization. The sweeper will release black fillers anyway.
	codegen/x64/assembler-x64.cc: // (larger) kCodeAlignment anyways.
	codegen/ia32/assembler-ia32.cc: // (larger) kCodeAlignment anyways.

	fn steps(mut a: i128, mut b: i128, mut c: i128, mut d: i128) -> u32 {
	let mut i = 0;
	while coeffs != (0, 0, 0, 0) {
	(a, b, c, d) = ((a - b).abs(), (b - c).abs(), (c - d).abs(), (d - a).abs());
	i += 1;
	}
	i
	}

	fn main() {

	function lemonthink() {
	let buf = new ArrayBuffer(4);
	let lemon = new Int32Array(buf);
	let think = new Float32Array(buf);

	lemon[0] = 0x7F800001; // A NaN that's not the normal JS NaN
	think[0] = think[0]; // When interpreted, JS sees the (different to normal) NaN and replaces it with a normal NaN. Compiled JS doesn't modify the value.
	return lemon[0];
	}
	console.log(lemonthink()); // 0x7fc00001, 2143289345

	io = start()

	zero_rsi = 0x400134
	add_rsi = 0x400126
	syscall = 0x400123
	read = 0x40011c
	# shellcode = asm(shellcraft.sh())
	# payload = fit({
	# 32: 0xdeadbeef,
	# 'iaaa': [1, 2, 'Hello', 3]

	Bee
	Cat
	Coyote
	Duck
	Emu
	Fly
	Kangaroo
	Koala
	Panther
	Platypus