pwn <small>ctf</small>

More format strings

2022-11-07 By qld

Intro on printf vulns

First of all, some links. printf abuses have been extensively documented now, see https://tinyhack.com/2014/03/12/implementing-a-web-server-in-a-single-printf-call/ for the infamous "web-server-in-a-single-printf-call" headline, which turns out to just be a hardcoded shellcode that serves a hello world. We could have actual turing machines in …
read more
Using existing code
2022-10-20 By qld
I couldn't find enough time to finish that challenge yesterday. Turns out my chickens did escape. Good news, they came back on their own this morning, hence the extra time for this challenge.

Stuff I learned:
- gef is excellent https://github.com/hugsy/gef, provides proper view of what's going …
read more
Properly exploiting format strings
2022-10-18 By qld
That paper really covers the subject properly.
- https://cs155.stanford.edu/papers/formatstring-1.2.pdf - Exploiting Format String Vulnerabilities
Stuff I learned today:
- my payload started not working as soon as 0x20 was in some p32(address) representation because I forgot quotes around the xxd wrapper payload, causing the space …
read more
Automating X11 clipboard content
2022-10-17 By qld
Ahh, Stanford. I'm starting a format string binary now.
- https://cs155.stanford.edu/papers/formatstring-1.2.pdf - Exploiting Format String Vulnerabilities
- http://phrack.org/issues/49/14.html#article - Smashing The Stack For Fun And Profit
- http://phrack.org/issues/60/10.html - Basic Integer Overflows
- http://phrack.org/issues …
read more
Shellcode on the stack and syscalls

2022-10-14 By qld
read more
Simple execve template
2022-10-13 By qld
A single challenge tonight, busy day. This one went easier than expected, no fiddling with offsets or planting binaries. Have I shown you that piece of code I got ready just in case, thanks to man execve ?
/* execve.c */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main …
read more
Simple shellcode and automation
2022-10-12 By qld
So, time to step up, there was no real binary exploitation so far, just some staring at the binaries and scripting with pwntools. These are gentle introductions to binary exploitation.
Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has …
read more
Basic gdb usage
2022-10-11 By qld
Key takeaways here are gdb command lines as radare, uh, requires too much remembering esoteric keystrokes. Usual friends plus ida were good enough to solve it all in one day.
gdb -x /opt/gdbinit/gdbinit ./file set disassembly-flavor intel break main disassemble main stepi x/s address x/8 …
read more