Pwn

This is a writeup of an easy/medium pwn challenge called “Profile” featuring a type confusion, some GOT overwriting, and a funny but unnecessary one gadget exploit for the fun of it. We are given the following files: main.c profile (binary) Dockerfile docker-compose.yml Let’s look at main.c and see if we can spot a vulnerability from the provided source code. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <time.h> struct person_t { int id; int age; char *name; }; void get_value(const char *msg, void *pval) { printf("%s", msg); if (scanf("%ld%*c", (long*)pval) !

Solution to the Cyber Security Rumble Finals challenge simple-asm. The challenge is strait forward. It defines an custom set of instructions, that get translated to x64 instructions directly and are then executed at a fixed offset, in a no-PIE binary. The translation lacks checks, such that the instructions do more than they should at first sight, when using specific higher register. This is the provides challenge source code, also running on the remote instance:

A talk from ju256 and me about Chrome V8 internals with some case studies of common bugs. While the slides are okay to look at, there is a fair bit of context missing from what we say during the talk. Maybe we will give the talk in a similar form somewhere where it is recorded in the future.