As you know, DEFCON CTF 23 Quals is coming up! And I want to self-practice by resolving challenges from last year.
Firstly, I’m just going to upload my exploit code, if I have a free time, i will make the full write-up. Hope you enjoy!
let’s start the journey
bbgp (selir-2 points)
The vulnerable function is located at
0x185D
. Which let you overwrite return-EIP. The last thing you need to to do is brute-force the PIE base address.Exploit code here.
shitsco (gyno-2 points)
There was a classical vulnerability, use-after-free. When the exploit runs, you’re supposed to get the password. Precisely, you would be able to get the FLAG with it.
Exploit code here.
sftp (gyno-3 points)
Well, I’ve just done this one. It was common problem when you try to handle file-manager. It’s suppose to be pretty confused because func_RETR at
0x08049239
tries to read until EOF instead of reading n bytes like it printed out.Exploit code here.
nonameyet (hj-3 points)
This one was about handling HTTP PAYLOAD. Since that binary (nonameyet.cgi) has no NX, we would be able to jump in our data. My shellcode was “Reverse TCP” to my own remote host.
Exploit code here.
byhd (hj-2 points)
It was about reversing Huffman Tree. I did it, but you may wanna see my teammate’s write-up here. It’s kind of tricky to solve :).
Exploit code here.
turdedo (selir-3 points)
Omg, this one was so hard! I found the bug at
0x0804969B
, when you probably overwrite the previous heap block and bypass a format-string filter function0x080495CD
. Obviously, it looks very hard to understand. If you are interested in, you can do it yourself or go search the full write-up on google.Exploit code here.
DEFCON 21 QUALS
linked (shellcode-3 points)
I’ve solved it with 13 bytes shellcode (less than the solution given by organizers) 😀
1234567 0x1000: 5b pop ebx0x1001: 5f pop edi0x1002: b800414141 mov eax, 0x414141000x1007: af scasd eax, dword ptr es:[edi]0x1008: 75fd jne 0x10070x100a: 97 xchg eax, edi0x100b: ffd3 call ebx
musicman (reverse-3 points)
It was about integer overflow, which leads us to read FLAG_WAV
0x0804C100
. BTW, I did some trick to decode wave to characters 😀Code here.
thyself (reverse-2 points)
Hm, This problem is mixing Crypto and Reversing. The “bug” is placed at aeslite_encrypt. It is not quite hard, you can do it by yourself :D.
incest (shellcode-1 point)
Shellcode here.
updating soon…
Looking forward to your full-writeup;-)
I would give a try later XD.
Practicing with you~ XDDDD
Can you give me nonameyet (hj-3 points)’s binary?
here you are 🙂
https://dl.dropboxusercontent.com/u/89410065/nonameyet.cgi
In bbpg challenges, you don’t need to bruteforce binary base address because, in function located at 0x2002, it calls send(1, &buf, 46u, 0) , size larger than buf have, and just enough to leak PIE base address 🙂
Well, I didnt even notice that @@
In sftp , i find another bug to trigger buffer overflow , in List_CMD i finds something special sprintf(&s, “%s/%s”, name, v7->d_name), name is path we controlled and the v7->d_name is file name, and size of s is only 0x100 so i will overflow easily 🙂