Court of Analysis and Testing

For the past couple of months you guys see me doing lot of buffer overflow exploitation in Linux and Windows but buffer overflow itself is not the only approach in memory corruption attack. There are other techniques such as format string and heap overflow method But today we are going to focus on Format String attack. So what is it ? Format string attack is an attack that are taking an advantage on how the print function work in C. you guys already know some of them such as printf, sprintf and so on my point is any function from print family typically you use print function like this: void main(){ int a = 10; printf("%d\n",a) ; } notice that we parse a string format which is %d, that represent an integer so this telling the program to show the output of the program from variable a. But things to get little funny when we create program like this: void main() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); } so whats ...

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi...

Back again with the ROP challenge this time we will go back again to basic training to strengthen our understanding more about this exploitation. You maybe start to get sick of me doing this loop of refreshing material, well this is just my preference of study since many people are so impatient and want to go to the next level but how can you go to the next level if you cannot master the basic right? ( this is the wisdom that I got for rewatching Avatar Last Airbender :) LOL) alright cool! This post was inspired by the 4th picoctf2014 challenge which is "rop4" (link: https://github.com/ctfs/write-ups-2013/tree/master/pico-ctf-2013/rop-4 ) but I altered the source code little bit to align with my objective: #include <stdio.h> #include <unistd.h> #include <string.h> char exec_string[20]; void exec_the_string() {     execlp(exec_string, exec_string, NULL); } void call_me_with_cafebabe(int cafebabe) {     if (cafebabe == ...

Back again with the ARM buffer overflow tutorial. In this post, we will try to redirect the flow of program execution by hijacking the PC (EIP) register inside the program for proof of concept we are going to use the following code from stack4 protostar: #include <stdio.h> void win() {   printf("code flow successfully changed\n"); } int main(int argc, char **argv) {   char buffer[64];   gets(buffer); } It is pretty clear that we need to redirect the flow of the execution to win() function. Ok! first we need to compile the code with the following flag. The next step is to find how many offsets of bytes that we need to overwrite the PC register. Since my raspberry pi doesn't have an internet connection to download the usual tool, it looks like we need to create our own pattern generator. the following python script will generate all alphabets including lowercase and uppercase and also digits. Each loop will multiply each character in...