- Linux heap exploitation with arbitary free vulnerability
tl;dr Linux client-server application heap exploitation
Writeup from InCTFi 2019 bartender
tl;dr Windows 32-bit SEH exploitation
tl;dr 2 element overflow in Array when jit compiled
Uint8Arrayto get a overflow in an
ArrayBufferand proceed to convert this to arbitrary read-write and execute shellcode.
This post will describe how I exploited CVE-2019-14378, which is a pointer miscalculation in network backend of QEMU. The bug is triggered when large IPv4 fragmented packets are reassembled for processing. It was found by code auditing.
Out of bounds write in trustlet ‘1’, allows us to write random bytes at an address of
our choice. We can write our shellcode to an rwx region with this, without any bruteforce.
Note: During the CTF we used a 1 byte brute-force to get write shellcode in the rwx segment and get shell. It was only afterwards that we realised that no bruteforce was required!
This school CTF had a good set of challenges for beginners
32-bit executable, dynamically linked, not stripped
When you run the executable in the terminal, the program simple asks for an input and checks whether it is the secret it is looking for or not.
debugging in GDB…
gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial
Going through the assembly code, we can see that see a gets() function. This gives us a chance to corrupt any stack address higher than the stack address where the gets() is to read into. We can also see a call to ‘print_flag’ function. This call instruction is executed only after a cmp instruction which compares [ebp-0xc] with ‘0xf007ba11’.
0x0804861d <+107>: cmp DWORD PTR [ebp-0xc],0xf007ba11 0x08048624 <+114>: jne 0x804862d <main+123> 0x08048626 <+116>: call 0x804854b <print_flag>