rh0gue

rh0gue Vulnerability Research, Reverse-Engineering and Exploit Development https://conceptofproof.github.io 34C3CTF - simpleGC Points: 107 Solves: 47 Category: Exploitation sgc libc-2.26.so sgc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=f7ef90bc896e72ba0c3191a2ce6acb732bf3b172, stripped gdb-peda$ checksec CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial Intro simpleGC was a 107 point pwnable... Fri, 05 Jan 2018 00:00:00 +0000 https://conceptofproof.github.io/2018-01-05-34c3ctf-simplegc/ https://conceptofproof.github.io/2018-01-05-34c3ctf-simplegc/ 34C3CTF - 300 Points: 264 Solves: 13 Category: Exploitation 300 libc-2.24.so 300: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=5f43b102f0fe3f3dd770637f1d244384f6b2a1c9, not stripped gdb-peda$ checksec CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : ENABLED RELRO : FULL Reversing The binary is a... Sun, 31 Dec 2017 00:00:00 +0000 https://conceptofproof.github.io/2017-12-31-34c3ctf-300/ https://conceptofproof.github.io/2017-12-31-34c3ctf-300/ MMA CTF 2016 - diary aiRcraft libc.so.6 diary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=3648e29153ac0259a0b7c3e25537a5334f50107f, not stripped gdb-peda$ checksec CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial Summary The program mmap’s a custom heap that is given rwxp permissions.... Mon, 28 Aug 2017 00:00:00 +0100 https://conceptofproof.github.io/2017-08-28-mmactf16-diary/ https://conceptofproof.github.io/2017-08-28-mmactf16-diary/ RCTF 2017 - aiRcraft Points: 606 Solves: 14 Category: Exploitation aiRcraft libc.so.6 aiRcraft: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=f8597b2bb97a5f0ffd55603a10b55629eabebfa6, stripped gdb-peda$ checksec CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : ENABLED RELRO : FULL Vulnerability This program allows us to... Fri, 26 May 2017 00:00:00 +0100 https://conceptofproof.github.io/2017-05-26-rctf17-aircraft/ https://conceptofproof.github.io/2017-05-26-rctf17-aircraft/ BCTF 2017 - Overwatch Points: 909 Solves: 3 Category: Exploitation overwatch libc-2.23.so overwatch: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=93bcce5139c1227a42aa9ec4ba20a82f0222795c, stripped gdb-peda$ checksec CANARY : ENABLED FORTIFY : ENABLED NX : ENABLED PIE : disabled RELRO : FULL Intro Overwatch was a 909 point exploitation... Thu, 13 Apr 2017 00:00:00 +0100 https://conceptofproof.github.io/2017-04-13-bctf17-overwatch/ https://conceptofproof.github.io/2017-04-13-bctf17-overwatch/ ASIS Quals CTF 2017 - CaNaKMgF Remastered Points: 384 Solves: 25 Category: Exploitation CaNaKMgF_remastered CaNaKMgF_remastered: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e4ba2a9e3c69441f88481b5e06ac21fd52c54b9a, not stripped CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : ENABLED RELRO : FULL Intro This program is based off the CaNaKMgF... Sun, 09 Apr 2017 00:00:00 +0100 https://conceptofproof.github.io/2017-04-09-ASIS17-CaNaKMgF/ https://conceptofproof.github.io/2017-04-09-ASIS17-CaNaKMgF/ Modern Binary Exploitation - rpisec_nuke For Project 2, we are given a binary named rpisec_nuke and tasked with exploiting a service running this binary on the remote warzone server. No source code is given. If we run checksec, we can see that stack canaries, NX, PIE and full RELRO are enabled. CANARY : ENABLED FORTIFY... Sat, 04 Mar 2017 00:00:00 +0000 https://conceptofproof.github.io/2017-03-04-MBE-project2/ https://conceptofproof.github.io/2017-03-04-MBE-project2/ Modern Binary Exploitation - Lab 9A For this lab, we are given a program and its corresponding source code in C++. /* * compile: g++ -fstack-protector-all -z relro -z now -O1 -fPIE -pie ./lab9A.cpp -g -o lab9A * clark's improved item storage server! * Changelog: * * Using HashSets for insta-access! * */ #include <iostream> #include... Wed, 08 Feb 2017 00:00:00 +0000 https://conceptofproof.github.io/2017-02-08-MBE-lab9A/ https://conceptofproof.github.io/2017-02-08-MBE-lab9A/ Insomni'hack Teaser CTF 2017 - The Great Escape pt3 Points: 200 Solves: 10 Category: Exploitation flag.elf flag.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=08df0c3369b497ee8ed8fca10dbb39ae75ebb273, not stripped gdb-peda$ checksec CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial Intro The Great Escape pt3 was... Sun, 22 Jan 2017 00:00:00 +0000 https://conceptofproof.github.io/2017-01-22-insomnihack-escape3/ https://conceptofproof.github.io/2017-01-22-insomnihack-escape3/ Modern Binary Exploitation - Lab 9C For this lab, we are given a program and its corresponding source code in C++. /* * compile: g++ -fstack-protector-all -z relro -z now ./lab9C.cpp -o lab9C * * DSVector - A basic homwork implementation of std::vector * This is a wrapper program to test it! */ #include <iostream> #include... Sat, 21 Jan 2017 00:00:00 +0000 https://conceptofproof.github.io/2017-01-21-MBE-lab9C/ https://conceptofproof.github.io/2017-01-21-MBE-lab9C/ Modern Binary Exploitation - Lab 8A For this lab, we are given a program and its corresponding source code written in C. #include <stdlib.h> #include <stdio.h> #include <string.h> #include "utils.h" #define STDIN 0 //gcc -static -fstack-protector-all -mpreferred-stack-boundary=2 -o lab8A lab8A.c int *global_addr; int *global_addr_check; // made so you can only read what we let you void... Tue, 17 Jan 2017 00:00:00 +0000 https://conceptofproof.github.io/2017-01-17-MBE-lab8A/ https://conceptofproof.github.io/2017-01-17-MBE-lab8A/ Modern Binary Exploitation - Lab 8B For this lab, we are given a program and its corresponding source code. I included some comments I made for myself to better understand different functions. /* * gcc -z relro -z now -fPIE -pie -fstack-protector-all -o lab8B lab8B.c */ #include<stdio.h> #include<stdlib.h> #include<string.h> #define MAX_FAVES 10 struct vector { void... Sun, 15 Jan 2017 00:00:00 +0000 https://conceptofproof.github.io/2017-01-15-MBE-lab8B/ https://conceptofproof.github.io/2017-01-15-MBE-lab8B/ Modern Binary Exploitation - Lab 8C For this lab, we are given a program and its corresponding source code: /* * gcc -z relro -z now -fPIE -pie -fstack-protector-all -o lab8C lab8C.c */ #include<errno.h> #include<fcntl.h> #include<stdio.h> #include<stdlib.h> #include<string.h> #include<sys/types.h> #include<unistd.h> struct fileComp { char fileContents1[255]; char fileContents2[255]; int cmp; }; char* readfd(int fd) { // Find... Sat, 14 Jan 2017 00:00:00 +0000 https://conceptofproof.github.io/2017-01-14-MBE-lab8C/ https://conceptofproof.github.io/2017-01-14-MBE-lab8C/ 33C3 - BabyFengShui babyfengshui: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=cecdaee24200fe5bbd3d34b30404961ca49067c6, stripped CANARY : ENABLED FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial Vulnerability Each time a user is added, two chunks are malloc()‘d for the user, as... Fri, 13 Jan 2017 00:00:00 +0000 https://conceptofproof.github.io/2017-01-13-BabyFengShui/ https://conceptofproof.github.io/2017-01-13-BabyFengShui/ House of Einherjar Overview For this challenge created by Uafio, we are given a program and its corresponding source code. #include <stdio.h> #include <stdlib.h> int i = 0; char tmp[0x80]; char* ptrs[10]; int main() { setvbuf(stdout,NULL,_IONBF,0); setvbuf(stdin,NULL,_IONBF,0); printf("Hello OTA Stream\n"); while (1) { printf( "\n1. Alloc 0x80\n"\ "2. Free index\n"\ "3. Write to tmp\n"\... Sun, 08 Jan 2017 00:00:00 +0000 https://conceptofproof.github.io/2017-01-08-HouseOfEinherjar/ https://conceptofproof.github.io/2017-01-08-HouseOfEinherjar/ Modern Binary Exploitation - Lab 7A For this lab, we are given a program and its corresponding source code: /* compiled with: gcc -static -z relro -z now -fstack-protector-all -o lab7A lab7A.c */ #include <stdio.h> #include <string.h> #include <unistd.h> #include <stdlib.h> #include <time.h> #include "utils.h" ENABLE_TIMEOUT(60) #define MAX_MSG 10 #define MAX_BLOCKS 32 #define BLOCK_SIZE 4 struct... Fri, 06 Jan 2017 00:00:00 +0000 https://conceptofproof.github.io/2017-01-06-MBE-lab7A/ https://conceptofproof.github.io/2017-01-06-MBE-lab7A/ Modern Binary Exploitation - Lab 7C For this lab, we are given a program and its corresponding source code: /* compiled with: gcc -z relro -z now -fPIE -pie -fstack-protector-all -o lab7C lab7C.c */ #include <stdio.h> #include <string.h> #include <unistd.h> #include <stdlib.h> #include "utils.h" #define MAX_STR 6 #define MAX_NUM 6 struct data { char reserved[8]; char... Wed, 21 Sep 2016 00:00:00 +0100 https://conceptofproof.github.io/2016-09-21-MBE-lab7C/ https://conceptofproof.github.io/2016-09-21-MBE-lab7C/ Modern Binary Exploitation - Lab 6A For this lab, we are given a program and its corresponding source code: /* Exploitation with ASLR enabled Lab A gcc -fpie -pie -fno-stack-protector -o lab6A ./lab6A.c Patrick Biernat */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include "utils.h" struct uinfo { char name[32]; char desc[128]; unsigned int sfunc; }user; struct... Tue, 20 Sep 2016 00:00:00 +0100 https://conceptofproof.github.io/2016-09-20-MBE-lab6A/ https://conceptofproof.github.io/2016-09-20-MBE-lab6A/ Modern Binary Exploitation - Lab 6B For this lab, we are given a program and its corresponding source code: /* compiled with: gcc -z relro -z now -pie -fPIE -fno-stack-protector -o lab6B lab6B.c */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include "utils.h" ENABLE_TIMEOUT(300) /* log the user in */ int login() { printf("WELCOME MR.... Sat, 17 Sep 2016 00:00:00 +0100 https://conceptofproof.github.io/2016-09-17-MBE-lab6B/ https://conceptofproof.github.io/2016-09-17-MBE-lab6B/ Modern Binary Exploitation - Lab 6C For this lab, we are given a program and its corresponding source code: /* Exploitation with ASLR Lab C gcc -pie -fPIE -fno-stack-protector -o lab6C lab6C.c */ #include <stdio.h> #include <stdlib.h> #include <string.h> struct savestate { char tweet[140]; char username[40]; int msglen; } save; void set_tweet(struct savestate *save ); void... Thu, 15 Sep 2016 00:00:00 +0100 https://conceptofproof.github.io/2016-09-15-MBE-lab6C/ https://conceptofproof.github.io/2016-09-15-MBE-lab6C/