26
Feb
2012

CODEGATE 2012 – Vuln 500

Vuln500 is a basic format string vulnerability, which is made slightly more interesting by the fact that no functions are called after the printf() call. Dtors are also not called and ASLR is enabled.

{Read More}

26
Jan
2012

MozillaCTF 2012 – JS shell exploit

In this challenge we were given an ssh login to a box which contained a commandline js tool and a .js file which made it crash. The tool was sgid, and there was a file owned by the same group named “secret” in the directory, so it seemed we would have to build a working exploit from the example .js and read the secret file.

This is the true, sordid story of how we solved it πŸ™‚

{Read More}

09
Oct
2011

Secuinside 2011 CTF – Challenge 11

Challenge #11 consists of two binaries, chal1 and chal2. As if exploiting one binary
wasn’t worth any points!

chal1

The vulnerability

Chal1 is an NX-protected x86-64 binary with fixed addresses for libc and ASLR for the stack.
It suffers from a strcpy() vulnerability. A string is copied from argv[3] to a fixed size buffer.
But not before we overcome the fact that the binary exits when there are *any* arguments
at all. Luckily, when there are 0 elements in argv, argv[3] points to envp[2].

While the convention for environment variables is “VARNAME=value”, the kernel does not
enforce it, it just copies NULL-terminated strings. This means we can put any binary data
on the top of the process’ stack, encoding the NULL-bytes by just starting another string.
{Read More}