Description: You haven’t been naughty, have you? Notes: The binary has no mitigation, so we can do a stack bof and write our shellcode somewhere on the stack fgets() reads in 0x47 bytes from the user, the two bytes from the base pointer has to be 0xe4ff, which is the opcode for jmp esp (hint… Continue reading Naughty →
Description: Are you ready for aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bin/shawhkj\xffwaa ? Notes: memset(0x601068, 0, 9) gives us 9 bytes to write to in the bss gets() -> buffer overflow NX is enabled so can’t execute on stack No PIE, can use ropchain to write ‘/bin/sh’ to bss and pass bss address into system mprotect is used here to check… Continue reading Ready for Xmas? →
Notes: We know address of qi_de_base 0x8202010 There is format string vuln printf(user->display, user->name, user->sex); user data is written in heap no aslr and no pie Have heap overflow on user->name This is the user->qi person *user = new_p(); Steps: Use heap overflow on user->name to write into user->display user->display is where the fmt string… Continue reading Big Brain Time →
Notes format string in 0x13a2 printf(argv) Writeup There is format string vulnerability on argv which is filename. Challenge gives you ssh to remote machine that has challenge file with SUID to user with flag. Using format string, there was a pointer to heap where flag have been copied to on offset 10. Using %s, you… Continue reading hello %s →
Binary bazooka Notes scanf() BoF in vuln(). no-pie Tried to find offset of /bin/sh in libc using libc leak and it seems like we are out of luck Could use bss segment as code cave to write /bin/sh string Control PC using BOF Create a ROP chain to write “/bin/sh” in unused data section then… Continue reading bazooka →
Something went wrong. Please refresh the page and/or try again.