leon3321.is-a.dev
Open in
urlscan Pro
172.66.44.61
Public Scan
Submitted URL: http://leon3321.is-a.dev/
Effective URL: https://leon3321.is-a.dev/
Submission: On September 25 via api from US — Scanned from IS
Effective URL: https://leon3321.is-a.dev/
Submission: On September 25 via api from US — Scanned from IS
Form analysis 0 forms found in the DOM
Text Content
leon332157
* Home
* About
* Projects
* Blogs
* Writeups
HI, I’M LEON
I’m Junior in Computer Science/Data Science at UMass Amherst
My interests are in DevOps, Infrastructure, Reverse Engineering, Vulnerability
Analysis, Computer Networking and Operating Systems
Here, I will be sharing my writeups for CTFs and projects as well as my thoughts
on various topics
To learn more about me navigate to the About page
SUPER CPP CALCULATOR (PWN)
Super CPP Calculator is a pwn challenge from Deadsec ctf 2024 There’s one binary
given, let’s examine the binary first: OK, looks promising for an easy pwn,
let’s open the binary in Ghidra. Looking at the main function in Ghidra (cleaned
up for clarity) There are a few things to note here, we can see that a
Calculator class is used here, and it appears to be allocated on the stack, so
let’s look at the class....
July 30, 2024
MAGIC CONCH (REV)
Magic Conch is a rev challange. Downloading and opening the binary file in
Ghidra: We can find an entry point, I have renamed the main function to main.
Here is the main function in Ghidra, edited for clarity: 1 2 3 4 5 6 7 8 9 10 11
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
39 40 41 42 43 44 int main(void) { char buf [64]; uint outlen; int length; code
*entry_point_function; void *shared_obj_ptr; int memfd; void *dec_data; void
*input_data; input_data = (void *)gen1(&enc_bin_start,&length); if (input_data
== NULL) { exit(1); } dec_data = (void *)gen2(input_data,length,&outlen); if
(dec_data == NULL) { exit(1); } free(input_data); memfd =
memfd_create("payload_file",0); if (memfd == 0) { exit(1); }
write(memfd,dec_data,outlen);
sprintf(buf,"/proc/self/fd/%d",(ulong)(uint)memfd); shared_obj_ptr = (void
*)dlopen(buf,1); if (shared_obj_ptr == NULL) { free(input_data); exit(1); }
entry_point_function = (code *)dlsym(shared_obj_ptr,"EntryPoint"); if
(entry_point_function == NULL) { free(input_data); dlclose(shared_obj_ptr);
exit(1); } (*entry_point_function)(); dlclose(shared_obj_ptr); close(memfd);
free(dec_data); return 0; } Looking at the main function, we can see that it
uses syscalls such as dlopen as well as dlsym....
April 21, 2024
Jasmine Cai <- UMass Ring -> Shankar
Powered by PaperMod & Hugo
Hugo version: 0.130.0