Step 1 install opus-tools
sudo apt-get install libogg-dev libopus-dev libopusfile-dev libopus-dev opus-tools libflac-dev
git clone https://github.com/xiph/libopusenc.git
sudo make install
git clone https://github.com/xiph/opus-tools.git
Step 2 extracting opus file from pcap file
./opus_tools/opus-tools/build/opusrtp --extract voice_udp.pcapng -o out.opus
Step 3 convert the opus file to .wav file, now you can enjoy the reconstructed audio ^_^
Note: the opusrtp tool may need some modification to work normally.
As the offical write-up by f00l  stated, there is a data race in put_jar ()and get_jar(), and the attack window is pretty large thanks to the lock_mutex in both functions. Continue reading “[TCTF 2017 final] cred_jar (linux kernel driver pwn) write-up”
faggin is the last pawnable challenge in defcon 2017 quals. I did not solve it in the CTF, and there is no write-ups for this challenge, So I wrote this article.
Continue reading “[DEF CON CTF 2017 quals ] faggin write-up”
DEFCON is over, We ranked 20th in this CTF(in last year we ranked 49th), it’s time to do the write-ups and do some summary.
I solved the following 6 challenges in this CTF:
- Baby’s first — smash(pwnable)
Continue reading “[DEF CON 2017 Quals] pwnable and reverse writeups”
0ctf is over for a week. We(NeSE) ranked 6th/908 at last. During the game, I looked at two pwnable challenges : knote and uploadcenter, I spent more than 16 hours on uploadcenter and 14 hours on knote. I found the info leak and race condition in knote and the info leak and mismatch in mmap/munmap size in uploadcenter. But I did not came up with the thread stack UAF exploit. So I wrote this article to write down what I thought most fun part of these challenges.
Continue reading “[0ctf 2017] uploadcenter knote pwnable write-up”
This is the most valuable challenge in NJCTF(worth 600 points). It is a a good practice to write shellcode too. pwntools provide handy APIs to write shellcode.
The child process is chroot jailed, to get the flag outside of the jail, we have to use “ptrace” to attach and modify the parent process to escape the jail.
There are many ways to exploit the vulnerability and we choose the following one
- add a syscall with negative number of registers and hijack the vtable to a stack position.
- input shellcode using the leave notes function
- call the hijacked function pointer
Continue reading “[NJCTF 2017] syscallhelper(pwn 600) write-up”
This is an interesting challenge in UCSB iCTF 2017, we had a lot of fun. But when we finished the exploit, the game server including the scoreboard went down before the end.
This wp contains only a writeup local exploit. One of my teammate improved it to achive arbitrary file read to get the flag. It’s a pity we can not actually get a real flag in the game.
Continue reading “[UCSB iCTF 2017] pokemon(type: pwn) write-ups”
- Android .so调试[参考]
- Android 的 broadcast机制
- Anti-emulator 检查及绕过
- lzo 压缩算法识别
- crc32 校验算法识别
Continue reading “ISCC 2016 mobile 500 GREEN”