I have not written for a long time… It’s nothing new, but it made me want to write something for the blog. I was reading the 44con’s talk: “Subverting Direct X KernelFor Gaining Remote System”[1] And I said myself, I’ll try to do the infoleak, CVE-2018-8121[2]. CVE-2018-8121 The infoleak consists in get uninitialized memory in […]
You are browsing archives for
Autor: Nox
Ricardo Narvaja’s pwnable – basic exercise 11
The Ricardo Narvaja’s challenge aims to learn about IDA Pro, and use it as much as possible. The challenge can be found here and I modified the IDB for a better understanding. This challenge interacts with a file called fichero.dat, read and store in local variables (struct). Since is a small file, I can infer that there […]
VolgaCTF 2017 – time_is
I solved this challenge with my teammate @javierprtd. Category: Exploiting. Points: 150. Binary: time_is. By executing the binary, we can see.
|
1 2 3 4 5 6 7 8 9 |
$ ./time_is Enter time zones separated by whitespace or q to quit hola hola: 05:54 Enter time zones separated by whitespace or q to quit %x.%x.%x.%x.%x.%x.%x.%x.%x 5.66666667.70a3d70b.2ce33e7.e40.bac364a0.350c30aa.2400010.78: 05:54 Enter time zones separated by whitespace or q to quit |
Well, format string vulnerability found The binary read from stdin using __getlimit function, and the unique limiter is ‘\n’.
|
1 |
v3 = __getdelim(&lineptr, &n, 10, stdin); |
The __printf_chk function is used for printing in stdout and checking if the […]
XiomaraCTF 2017 – mint
In this challenge debugging was unneccesary . If I execute it, this is the output:
|
1 2 3 4 5 6 7 |
$ ./mint ^^^^^^^^^^^^^^ Welcome to My Mini Text editor (Mint) ^^^^^^^^^^^^^^^^^^^^^^^^ [1] Add text [2] Edit text [3] Display text [4] Exit Enter ur option : |
We can add a text, edit and show it. The vulnerability So, I add a text, the max length is 0x30, but if edit the text, there are two options:
|
1 2 3 |
Enter ur option :2 [1] Append text [2] Overwrite |
When I choose the first option, we can […]
FwhibbitCTF 2017 – Bomb
Category: Reversing. Points: 450. We need an 8 digits code to disable the bomb. That code is used to operate with two arrays of bytes. Any mistake will make the bomb to explode.
|
1 2 3 4 5 |
#first array of bytes aof = [0xF7, 0xFC, 0xB5, 0x83, 0x81, 0xA7, 0x83, 0x89, 0xBD, 0xFD, 0xBF, 0x9E, 0xFA, 0xA6, 0x9A, 0xF4, 0x84, 0xA2] #second array of bytes aof2 = [0xBB, 0xA8, 0xEA, 0x84, 0xD7, 0xCA, 0x80, 0x80, 0xEE, 0xA9, 0xB9, 0xDB, 0x91, 0xF0, 0x9D, 0xFB, 0x81, 0xE2, 0xF7, 0xFD, 0xE4, 0x80, 0x86, 0xF1, 0xCC, 0xC5, 0xE5, 0xA9, 0xEF, 0xC0, 0xA6, 0xE3, 0xC8] |
My solution is below: The code is 8 digits long, every digit goes from 0 to 9, that code is used to operate with […]
FwhibbitCTF – Crazy serial
Last week, I played the FwhibbitCTF for a few hours, it was a CTF organized by Follow The White Rabbit. They used the Facebook platform, and this challenge is the corresponding to Congo country. My solution for Crazy serial is below . Category: Reversing. Points: 330pts. When I opened this challenge… As it can be seen, […]
AlexCTF – catalyst system
Thanks AlexCTF for challenges!