Skip to content

Team-Eur3kA/pwn-cheatsheet

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 

Repository files navigation

pwn-cheatsheet

CTF pwnable challenge cheatsheet

Cheatsheet

Vuln Type Protections Limits or Specials Method Links
stack overflow None None 1
stack overflow NX None 2
stack overflow NX RELRO None 3
stack overflow NX RELRO CANARY canary in forked threads 4
heap overflow NX chunk size can be 0x70~0x7f 5
heap overflow NX RELRO chunk size can't be 0x70~0x7f 6
heap overflow NX RELRO able to overwrite top size 7

Available Choices

Methods

Find a gadget like jump sp then put shellcode on stack, jump sp will jump to stack then execute shellcode.

Find gadgets to setup ROP chain to call mprotect on any page available, then read shellcode to that page, and then jump there and execute it.

Find gadgets to setup ROP chain to call read to read shell path and call execve.

Find gadgets to setup ROP chain to write GOT address(so we can get libc address) and read, then setup call to system so we are able to call shell.

Since the canary in threads is the same as main thread so we can bruteforce the canary in sub-threads.

Fastbin attack GOT can be applied when size can be range(0x70, 0x7f), since the highest byte of libc address should be 0x7f, then using cut the address trick to allocate to GOT.

With ASLR on, heap address is randomized even the highest byte. We can abuse the addresses in main_arena's bins(fastbins or normal bins) to allocate to main_arena then change meta-data in main_arena like top chunk address to allocate anywhere we want

This idea comes from 34c3ctf simplegc. Since tcache will not check fastbin size when allocating and copying, we can bypass the header limits(allocating fastbin chunk's size must be consistent) check.

Use house of force attack to overwrite top size to very large. Then allocate a large chunk to complete jump over the gap, so next allocation will be where we want.

Contribution

You are welcomed to make your contribution, just use oridinary issue and pull-request methods. Try not to change the framework directly in your PR, send an issue first if you have some thoughts about that.

Currently this project is still in progress, we need you to help us. :)

Note that the Available Choices part we only list those that are more related to that situation. So, we don't need to repeat the methods since we have the agreement that the methods of more strict situation can be applied to easier ones.

About

CTF pwnable cheatsheet

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published