Hello! I’m Osori😒

Very simple buffer overflow but run in dosbox that emulate MS-DOS. That’s write! This pwnable challenge is 16bit. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 #include <stdio.h> int main() { char name[32]; FILE *input = fopen("input.txt", "rt"); FILE *output = fopen("output.txt", "wt"); if (!input) { printf("Error opening input file!"); return 1; } if (!...

I solve this challenge as DeadSec team. A webserver written in C is given In the code, server use debug_handler function when client request flag.txt file like below code. 1 2 3 4 5 6 7 8 9 10 handler_fn handler; if (strstr(path, "flag.txt") != NULL) { handler = debug_handler; } else { handler = fileserv_handler; } handler(method, path, version, header_count, headers, data, err); Vulnerability occurs in gets function. 1 2 3 4 5 for (;;) { char *header_line = gets(buf); if (header_line == NULL) longjmp(err, 1); if (strlen(header_line) == 0 || strcmp(header_line, "\r") == 0) break; // "\n" or "\r\n"; end of query In above code, we can control headers, header_cap, header_count variables because buf address is lower than aforementioned variables address....

Freeswitch with a vulnerability run on the server. Vuln There are many vulnerabilities in the problem, but the vulnerability I used is OOB in mailbox_handle_edit 1 2 3 4 5 6 7 char *mailbox_handle_edit(sofia_profile_t *profile, const char *id, int idx, char *msg, int msg_len) { ... if (mailbox->mail[idx] != NULL) { strncpy(mailbox->mail[idx], msg, msg_len); strcpy(response, "edited"); } Above picture, 0x7f3170003528 is mailbox->mail(index 0). In genral pwnable challenge, address lower 1.5bytes are immutable....