ngtuonghung's pwn blog

final pokemon player

Vulnerability: toc-tou race condition -> out-of-bound write; arbitrary function pointer -> stack buffer overflow using gets()

cve-2009-3895 cve-2012-2836 libexif (Draft)

Linkers and Loaders in Linux Userland

Reproducing and Patching CVE-2019-13288 - XPDF Infinite recursion & Null pointer dereference

Discovering CVE-2019-13288 in XPDF 3.02 using AFL++ fuzzing and proposing patches.

Vulnerability: infinite recursion; null pointer dereferencing

Getting Started With Linux Kernel Exploitation

pwn - oop

Vulnerability: use after free - dangling pointer -> tcache poisoning

pwn - Runic

Pandora is close to finally arriving at the Pharaoh’s tomb and finding the ancient relic, but she faces a tremendously...

Vulnerability: incorrect string handling - strcpy() on raw read() buffer containing null byte -> heap buffer overflow

pwn - Identity

I added a protection layer in front of my database, it's safe now… right? Right??

Vulnerability: off-by-one out-of-bound write -> .bss buffer overflow

pwn - Story Contest

It’s time for you to tell your best story, and maybe you’ll be rewarded accordingly. Good luck !

Vulnerability: toc-tou race condition -> stack buffer overflow - improper length check in read()

pwn - 1149 - Repeat Service

Repeat Service is a convenient service that allows you to enter a string and output it over and over again....

Vulnerability: stack buffer overflow - improper dest check in memcpy()

pwn - 621 - Sea of Stack

Throw the flag at sea. It's so deep that no one can find it.

Vulnerability: stack buffer overflow - improper length check in read()

pwn - 721 - Santa claus is coming to town

산타 할아버지는 알고계신대. 누가 착한 앤지 나쁜 앤지 ...??? 어떻게??? 취약점을 찾아 셀을 획득한 후 flag 파일을 읽으세요. 플래그 형식은 DH{…} 입니다.

Vulnerability: arbitrary size allocation; out-of-bound write - improper index check

pwn

Vulnerability: heap buffer overflow - improper length check in read()

node user

Vulnerability: heap buffer overflow - improper buffer check in read()

PWN3

Vulnerability: stack buffer overflow - improper length check in read()

PWN2

Vulnerability: use after free - dangling pointer

PWN1

Vulnerability: stack buffer overflow - improper length check in fget() / heap buffer overflow - improper length check in memcpy()

pwn - Crash

I have received a crash report from my server service and I lost my access to the server. The initial...

Vulnerability: format string bug; stack buffer overflow

pwn - Paf Traversal

Your mission is to audit a high-performance hash-cracking platform. It achieves its speed by combining a Go-based API server with...

Vulnerability: path traversal

pwn - Calc

Welcome to Calculator Pro Max - where mathematics meets management!

Vulnerability: double free - dangling pointer

pwn - HeapNote Revenge

I wrote another heap note app and I think it's safe this time. Can you prove me wrong and get...

Vulnerability: integer vulnerability - signed and unsigned conversion -> stack buffer overflow - improper length check

pwn - Anyone Think

Pwn to find the password

Vulnerability: format string bug

pwn - Master's Request

Sanryu's Masters need help from you guys to read the flag.txt in the same dir, please come !!!

Vulnerability: rwx permission

Reproducing Nimbuspwn: Linux Privilege Escalation via Path Traversal and TOCTOU in networkd-dispatcher

A technical walkthrough of reproducing Nimbuspwn (CVE-2022-29799 and CVE-2022-29800), privilege escalation vulnerabilities in networkd-dispatcher exploiting path traversal and TOCTOU race...

Vulnerability: toc-tou race condition; unsanitized path; improper check for symlink

Reproducing CVE-2020-8831: Privilege Escalation via Symlink Attack on Apport's Lock File Implementation

CVE-2020-8831 is a vulnerability where an attacker can create a symlink at /var/lock/apport, redirecting Apport's lock file location and leading...

Vulnerability: using hardcoded path without checking for symlink

Reproducing CVE-2022-0324: Buffer Overflow in dhcp6relay of SONiC

CVE-2022-0324 is a stack buffer overflow vulnerability in the memcpy function within the DHCPv6 relay server of the SONiC network...

Vulnerability: stack buffer overflow - improper length check in read()

pwn - Contractor

Sir Alaric calls upon the bravest adventurers to join him in assembling the mightiest army in all of Eldoria. Together,...

Vulnerability: stack buffer overflow - improper length check in read()

pwn - Strategist

To move forward, Sir Alaric requests each member of his team to present their most effective planning strategy. The individual...

Vulnerability: incorrect string handling - strlen() overcount -> heap buffer overflow

pwn - Crossbow

Sir Alaric's legendary shot can pierce through any enemy! Join his training and hone your aim to match his unparalleled...

Vulnerability: out-of-bound write -> stack pivot

pwn - Laconic

Sir Alaric's struggles have plunged him into a deep and overwhelming sadness, leaving him unwilling to speak to anyone. Can...

Vulnerability: stack buffer overflow - improper length check in read()

pwn - Hanoi Convention

Can you answer all these questions?

Vulnerability: stack buffer overflow - improper length check in read(), strcpy(); format string bug

pwn - sudokuS

Play the sudoku and get flag. Flag path at /flag.

Vulnerability: rwx permission

pwn - Heap NoteS

Vulnerability: heap buffer overflow - improper length check in gets()

pwn - RacehorseS

My daughter Haru Urara is learning C. She wrote a little program to talk to another horse. Can you check...

Vulnerability: format string bug

pwn - lotto

Vulnerability: stack buffer overflow - improper length check in memcpy()

pwn - ROP

Vulnerability: stack buffer overflow - improper length check in read()

pwn - BugBounty

Dear hecker, We are The Inquisition, and we are excited to announce ourupcoming program, "Note" - a program for Space Marines...

Vulnerability: use after free - dangling pointer

pwn - RUN NOW

Run run run!!!

Vulnerability: stack buffer overflow - improper length check in strcpy()

pwn - ropfu

What's ROP?

Vulnerability: stack buffer overflow - improper length check in get()

pwn - buffer overflow 23

Control the return address and arguments | Do you think you can bypass the protection and get the flag?

Vulnerability: stack buffer overflow

pwn - babygame02

Break the game and get the flag.

Vulnerability: stack buffer overflow

pwn - Horsetrack

I'm starting to write a game about horse racing, would you mind testing it out? Maybe you can find some...

Vulnerability: use after free - dangling pointer

pwn - tic-tac

Someone created a program to read text files; we think the program reads files with root privileges but apparently it...

Vulnerability: toc-tou race condition

pwn - high frequency troubles

Vulnerability: house of orange + heap buffer overflow - improper length check in gets()

Kỹ thuật Heap Exploitation - House of Orange

Tìm hiểu chi tiết về cơ chế hoạt động của kỹ thuật khai thác heap House of Orange.

pwn - babygame03

Break the game and get the flag.Welcome to BabyGame 03! Navigate around the map and see what you can find!...

pwn - format string 0123

Can you use your knowledge of format strings to make the customers happy? | Patrick and Sponge Bob were really...

pwn - heap 0123

Are overflows just a stack concern? | Can you control your overflow? | Can you handle function pointers? | This...

pwn - Echo Valley

The echo valley is a simple function that echoes back whatever you say to it.But how do you make it...

pwn - Handoff

Vulnerability: stack buffer overflow

pwn - hash only 12

Here is a binary that has enough privilege to read the content of the flag file but will only let...

pwn - PIE TIME 12

Can you try to get the flag? Beware we have PIE! | Can you try to get the flag? I'm...

Vulnerability: format string bug