Teaser CTF is launched by Dragon Sector, is a Polish security Capture The Flag team. It was created in February 2013 and currently has 13 active members.
I solved two challenge in the first evening(so easy, power level) and tried to solves the pwnable challenge quine on Sunday Morning but failed, I found a write-any-where vulnerability but I didn’t see how to exploit. Continue reading “Teaser CTF 2015 writeup(So easy, power level)”
I wanted to play with ropc and died a little in installing ropc. Firstly we have to install BAP 0.4. To compile BAP, we need to install ocaml 3.12.1 from source(because ocaml 4.0 can not compile BAP 0.4). Then we need to install camomile from source.(again the default apt-get camomile version failed in the compilation).
PS: the following package should be installed before compiling bap0.4.
apt-get install gcc-multilib g++-multilib
apt-get install binutils-dev automake libpcre3-dev autotools-dev
apt-get install ocaml-findlib camlidl libocamlgraph-ocaml-dev libbfd-dev
another issue is :
asm_program.c:8:23: fatal error: libiberty.h: No such file or directory
It’s such a pain that a end up installing bap using opam…
“Practical Reverse Engineering” is a great book on windows reverse engineering. In this part, the structure of a driver is noted for later reference. Continue reading “Windows software drivers(part2 Structure of a driver)”
1. prodmanager(180 points)
prodmanager is a product manage system. After a short investigation of the source code, I found that there is a UAF vulnerability of double linked list. Actually the program did not manage product list and lowerest price list properly, an item which is freed in the product list still presents in the lowerest price list. Continue reading “Plaid CTF 2015 writeup(prodmanager, clifford, ebp, unknown)”
This is a list of handy gdb commands for reference: Continue reading “gdb commands”
I am reading ch3 “windows kernel” of Bruce Dang’s book–“Practical Reverse Engineering” and decides to write some notes down for later reference. Continue reading “Windows software drivers(part1: memory description list)”
I participated the Backdoor CTF 2015 and found something very weird: “chmod +x” will change function’s offset. I will figure this out later. Continue reading “Backdoor CTF 2015 echo: “chmod +x” will change function’s offset”
I spent several hours on this challenge, the logic of this program is simple and an information leakage vulnerability was discovered. But I was not familiar with malloc’s heap management scheme and failed to exploit this vulnerability.
The vulnerability has its root in no
'\0' was appended to the input note, it’s possible to leak a heap pointer by crafting a string before the heap pointer. But I didn’t know how then, after reading this and this writeup I finally figured out how to do this. This and this also help a lot to understand heap exploitation technique. This article is a record for reference. Continue reading “0CTF-2015 freenote: playing with malloc library”
The general idea to pwn this toy online store system is as following, firstly we need to find a control flow hijack vulnerability which in this case is a vtable hijack based on heap buffer overflow, secondly we will bypass all the integrity checks in the program and the memory defenses(e.g. ASLR) to call “system(“sh”)” in libc.
Continue reading “BCTF 2015 pwn challenge: zhongguancun”