CTF pwnable challenge cheatsheet

• Jump sp shellcode

• ROP mprotect-shellcode
• ROP execve

• ROP system

• bruteforce canary

• fastbin attack GOT

• Fastbin attack main arena bins
• Tcache bypass fastbin size check

• House of Force

Find a gadget like jump sp then put shellcode on stack, jump sp will jump to stack then execute shellcode.

Find gadgets to setup ROP chain to call mprotect on any page available, then read shellcode to that page, and then jump there and execute it.

Find gadgets to setup ROP chain to call read to read shell path and call execve.

Find gadgets to setup ROP chain to write GOT address(so we can get libc address) and read, then setup call to system so we are able to call shell.

Since the canary in threads is the same as main thread so we can bruteforce the canary in sub-threads.

Fastbin attack GOT can be applied when size can be range(0x70, 0x7f), since the highest byte of libc address should be 0x7f, then using cut the address trick to allocate to GOT.

With ASLR on, heap address is randomized even the highest byte. We can abuse the addresses in main_arena's bins(fastbins or normal bins) to allocate to main_arena then change meta-data in main_arena like top chunk address to allocate anywhere we want

This idea comes from 34c3ctf simplegc. Since tcache will not check fastbin size when allocating and copying, we can bypass the header limits(allocating fastbin chunk's size must be consistent) check.

Use house of force attack to overwrite top size to very large. Then allocate a large chunk to complete jump over the gap, so next allocation will be where we want.

You are welcomed to make your contribution, just use oridinary issue and pull-request methods. Try not to change the framework directly in your PR, send an issue first if you have some thoughts about that.

Currently this project is still in progress, we need you to help us. :)

Note that the Available Choices part we only list those that are more related to that situation. So, we don't need to repeat the methods since we have the agreement that the methods of more strict situation can be applied to easier ones.