Eight bytes to get a shell.

This will be a quick one. Last week was hacklu again. And again it was in the middle of the week. Nothing they can do about that they say, and I believe them of course! Point being I didn’t have time to play properly, I only looked at one challenge. There was one little trick I liked and wanted to share.

More …

Visualizing a single null-byte heap overflow exploitation

When Phantasmal Phantasmagoria wrote The Malloc Malleficarum back in 2005 he exposed several ways of gaining control of an exploitation through corruption of the internal state of the libc memory allocator. Ten years later people are still exploring the possibilities offered by such complex data structures. In this article I will present how I solved a challenge from Plaid CTF 2015 and the tool I wrote in the process.

More …

Giving Jekyll a shot

I’m not sure about this but since it seems to be all the hype these days I might as well give it a try. At first I was under the impression I would miss RsT, but then I thought what the heck, I need to get used to Markdown anyway with everyone on github using that.

More …

Hack.lu's OREO with ret2dl-resolve

Hack.lu 2014 was really well done and entertaining. For one challenge we needed to get system from an unknown libc while bypassing ASLR. The return to dl-resolve technique I used wasn’t known to me and I will explain it in this post.

More …

A python's escape from PlaidCTF jail

Python jails are pretty common among CTF challenges. Often a good knowledge of the interpreter’s internals gets you a long way. For the non initiated it might sometimes seem like black magic. PlaidCTF offered a challenging task that required the combination of some different techniques and logic.

More …