chip8 Solves: 24 Easy I just found a repo of a chip-8 emulator, it may be vulnerable but I didn’t had enough time to report the vulnerability with a working PoC.You must find a way to get the flag in memory on the remote service ! Author: Express#8049 Remote service at : nc 51.254.39.184 1337 chip8 is a emulator-pwn challenge I did during the pwnme CTF . You can find the related files here. Code reviewThis challenge is based on an emulator called c8emu that is updated with these lines of co...

Heap-Hop Solves: 31 Medium Heap exploitation is cool, and the best is when no free is used. >Try to pwn the challenge and get the flag remotely. Note: You must spawn an instance to solve this challenge. You can connect to it with netcat: nc IP PORT Author: Express#8049 Remote service at : nc 51.254.39.184 1336 Heap-hop is a heap exploitation challenge I did during the pwnme CTF. It involved classic tricks like tcache poisoning and GOT hiijacking. You can find the related files here. TL...

IntroductionFile streams are now a very common attack surface, here is a high level introduction that should make you understand the design of known attacks beyond the code reading for a particular function. I already talked about FSOP here. This article reviews glibc 2.36. Most of this article comes from this awesome series of articles about the _IO_FILE strcuture. Global designAs said in my previous writeup: Basically on linux “everything is a file” from the character device the any stream...

Introductionbabyfile is a file stream exploitation I did during the SECCON CTF 2022 Quals event. I didn’t succeed to flag it within the 24 hours :(. But anyway I hope this write up will be interesting to read given I show another way to gain code execution – I have not seen before – based on _IO_obstack_jumps! The related files can be found here. If you’re not familiar with file stream internals, I advice you to read my previous writeups about file stream exploitation, especially this one and...