| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
* malf-braekerctf-2024:
Writeup BraekerCTF 2024 / e
Writeup BraekerCTF 2024 / Eye Doctor
Add image convolution topic doc
Add x86 loop instruction callout
Merge x86 tips into architecture topic doc
BraekerCTF 2024 results
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
* malf-lactf-2024:
Update docker guide
x86 register correction
lactf 2024 results
|
|
The docker reference guide now better explains various common
situations. The file is moved to docs/nix since docker is not strictly
a web technology. This location makes more sense.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
* malf-bitsctf-2024:
RSA link to factordb
Consolidate forensics links and add FTKImager and volatility
BITSCTF 2024 results
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Intended to provide a base environment for working with binary
exploitation challenges and enable process isolation of said binaries.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Sploit has been living on in another repository for the past year or so.
Remove the stale files from this repository.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
* malf-lactf-2023:
Writeup LACTF 2023 / Switcheroo
Writeup LACTF 2023 / CTFd plus
Writeup LACTF 2023 / A hacker's notes
Writeup LACTF 2023 / One more time pad
lactf 2023 results
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Adds a reverse shell and other improvements for correctness, along with
a general cleanup of the files.
* shellcoding-enhancements:
Ignore shellcode working files
shellcode: Add sample for connecting a TCP socket
shellcode: Update /bin/sh shellcodes
shellcode: Remove shelltool
shellcode: Update Makefile
shellcode: Move example code to a new directory
shellcode: Drop SYS_EXIT samples
|
|
* malf-xmas-2022:
Writeup X-MAS CTF 2022 / Krampus Greetings
Writeup X-MAS CTF 2022 / Santas Complaint Hotline
X-MAS CTF 2022 results
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This sample can be used to create a reverse shell when combined with the
shell64 sample:
cat examples/{tcp64,shell64}.asm >code.asm
make
...
Signed-off-by: Malfurious <m@lfurio.us>
|
|
The shell-spawning shellcodes are rewritten to address the following
concerns:
- The array parameters to execve are now set properly, to valid
arrays on the stack, instead of NULL pointers.
- The cdq instruction is no longer used to sign-extend the rax
register, since it has not been producing the expected results in
gdb.
- Labels, sections, and other file metadata are removed in order to
support concatenation of shellcode samples to make more complex
code.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
shelltool is now deprecated, made redundant by the updated Makefile.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This patch brings various improvements to the shellcoding experience:
- There is no longer a hardcoded assembly sample that gets built
Although the default was pretty sane, it will be more convenient
to experiment, or build more complex shellcodes using a new
untracked filename as the main build target: code.asm
If code.asm is missing, then as before, it will be created from
shell64.asm (the old hard default).
The Makefile targets will compile code.* files.
- Hex string generation and bad char detection are improved
grep is used to highlight detected bad chars right in place.
This entire feature is now implemented directly in the Makefile
using a couple command lines, making shelltool deprecated.
- Builtin disassembly
Just run 'make disas' instead of manually invoking objdump. The
output is also filtered through grep for bad char detection.
- ELF executable is optional
Rather than linking an executable all the time, just run
'make elf' when you need it.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This is mainly done to keep the top working directory (where the
Makefile lives) cleaner.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This branch brings some conveniences to the semantics behind Symtbl base
values.
* sploit/symtbl-base:
sploit: rev: Properly base Symtbls for non-PIC binaries
sploit: Fix bugs involving Symtbl base value
sploit: mem: Allow Symtbl base to be modified
|
|
This branch provides some payload-specific upgrades that have come out
of the development so far on the automated ROP chain builder.
* sploit/payload-rop-prep:
sploit: payload: Promote private methods to "protected" access
sploit: payload: Clean up automatic symbol naming
sploit: payload: Class no longer extends Symtbl
sploit: payload: Allow variadic insertions
|
|
The baddr property identified by r2 is now used as the base address for
ELF symbol tables. This should not change the addresses retrieved via
the table normally, however should fix the internal offsets of the table
so that rebasing makes sense.
Note that for PIC/PIE binaries we would already get a Symtbl with
'correct' offsets, as r2 is unable to absolutely resolve them for us.
In these cases, the Symtbl base value remains at zero.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Some code previously assumed a Symtbl's base value to always be zero.
This was often the case, however the assumption would break (for example)
when attempting to rebase() a mapped Symtbl.
As of the previous patch enabling freer modification of base, the
potentiality of these bugs will be higher.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Allow a Symtbl's base to be modified in-place, without mapping into a
new object. This is useful when working with the Symtbl aspect of a
Payload.
This includes setting a non-zero base on construction. As usual, when
defining base on construction, any additional kwargs symbols are
interpreted relative to the given base. The order of arguments does not
matter.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Lift restriction (name mangling) to Payload helper functions, as their
use will be useful in Payload subclasses.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This is just a slight code reduction, but will make any future code
simpler as well. Explicit comparision to None is more correct as well;
centralizing this for reuse better justifies the wordier if statement.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Given the current design of Symtbl, creating subclasses of it gets more
tedious the further one goes down a potential class hierarchy. As I am
planning to introduce new features in the future that explicitly extend
Payload, make this change now to minimize the impact.
Additionally, switching Payload's relationship with Symtbl from "is-a"
to "has-a" makes it more consistent with rev.ELF, the other major user
of Symtbl. (And in both cases, the member is named 'sym')
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Often times, users of the Payload module wish to push a list of integers
to a payload buffer. Currently, the best (and intended) way to do this
is to make several calls to .int(). However, as part of the ROP effort,
I am planning to add function 'gadget(addr, *params)' to the Payload
class. Per the design of this function, calling it with an expanded
list of values would be equivalent to passing each to .int()
individually. In order to discourage the use of .gadget(), as a
shortcut to a series of .int()s, .int(), and most other insertion
functions, now accept arbitrarily many value arguments.
Functions that support additional options (such as .int()'s 'signed'
parameter) will apply such options to all values. If a symbol name is
defined, it will reference the beginning of the block of values.
Keep in mind, this will also allow inserting zero values. For example,
obj.bin(sym='end') will tag the end of the payload without extending its
content. This use-case is not intended to be particularly useful, but
exists as a consequence of the change.
Payload.rep() and the pad functions are not affected by this commit, as
I don't think changing their semantics in this way makes sense.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
* malf-angstrom-2022:
Writeup angstromCTF 2022 / whatsmyname
Writeup angstromCTF 2022 / uninspired
Writeup angstromCTF 2022 / baby3
Writeup angstromCTF 2022 / Auth Skip
angstromCTF 2022 results
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
