Code and exploit for the "read-eval-pwn loop" challenge of 33C3 CTF
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
exploit
files
Dockerfile
README.md
docker_build.sh
docker_run.sh
package.sh

README.md

read-eval-pwn loop

The goal of this challenge was to exploit the load function in a mostly unmodified Lua interpreter. To make it more interesting, the interpreter and libc were compiled with clangs's control flow integrity protection, as well as numerous other hardening mechanisms. The exploit achieves an arbitrary read/write primitive by faking a string and a table object (through the LOADK opcode with an out-of-bounds index), then gains code execution by overwriting a jmpbuf structure used by the interpreter for exception handling and coroutine yielding.

A working exploit can be found in exploit/. Usage:

./pwn.py
cat pwn.lua | nc ...