ideabrowser.com — find trending startup ideas with real demand
Try itnpx skills add https://github.com/ljagiello/ctf-skills --skill ctf-pwnQuick reference for binary exploitation (pwn) CTF challenges. Each technique has a one-liner here; see supporting files for full details.
__call_tls_dtors, custom shadow stack pointer overflow bypass, signed int overflow negative OOB heap write, XSS-to-binary pwn bridge, Windows SEH overwrite + pushad VirtualAlloc ROP, SeDebugPrivilege → SYSTEMpthread -> race conditionsusleep()/sleep() -> timing windowsbash -c '{ echo "cmd1"; echo "cmd2"; sleep 1; } | nc host port'
gets(), scanf("%s"), strcpy()printf(user_input)| Protection | Status | Implication |
|---|---|---|
| PIE | Disabled | All addresses (GOT, PLT, functions) are fixed - direct overwrites work |
| RELRO | Partial | GOT is writable - GOT overwrite attacks possible |
| RELRO | Full | GOT is read-only - need alternative targets (hooks, vtables, return addr) |
| NX | Enabled | Can't execute shellcode on stack/heap - use ROP or ret2win |
| Canary | Present | Stack smash detected - need leak or avoid stack overflow (use heap) |
Quick decision tree:
__free_hook, __malloc_hook (glibc < 2.34), or return addressescyclic 200 then cyclic -l <value>checksec --file=binaryret2win with magic value: Overflow -> ret (alignment) -> pop rdi; ret -> magic -> win(). See overflow-basics.md for full exploit code.
Stack alignment: Modern glibc needs 16-byte alignment; SIGSEGV in movaps = add extra ret gadget. See overflow-basics.md.
Offset calculation: Buffer at rbp - N, return at rbp + 8, total = N + 8. See overflow-basics.md.
Input filtering: memmem() checks block certain byte sequences; assert payload doesn't contain banned strings. See overflow-basics.md.
Finding gadgets: ROPgadget --binary binary | grep "pop rdi", or use pwntools ROP() which also finds hidden gadgets in CMP immediates. See overflow-basics.md.
Pattern: Menu create/modify/delete on structs with data buffer + pointer. Overflow name into pointer field with GOT address, then write win address via modify. See overflow-basics.md for full exploit and GOT target selection table.
Pattern: scanf("%d") without sign check; negative quantity * price = negative total, bypasses balance check. See overflow-basics.md.
Pattern: Overflow valid flag between buffer and canary. Use ./ as no-op path padding for precise length. See overflow-basics.md and advanced.md for full exploit chain.
Pattern: Adjacent global variables; overflow via extra CSV delimiters changes filename pointer. See overflow-basics.md and advanced.md for full exploit.
Leak libc via puts@PLT(puts@GOT), return to vuln, stage 2 with system("/bin/sh"). See rop-and-shellcode.md for full two-stage ret2libc pattern, leak parsing, and return target selection.
Raw syscall ROP: When system()/execve() crash (CET/IBT), use pop rax; ret + syscall; ret from libc. See rop-and-shellcode.md.
ret2csu: __libc_csu_init gadgets control rdx, rsi, edi and call any GOT function — universal 3-argument call without libc gadgets. See rop-and-shellcode.md.
Bad char XOR bypass: XOR payload data with key before writing to .data, then XOR back in place with ROP gadgets. Avoids null bytes, newlines, and other filtered characters. See rop-and-shellcode.md.
Exotic gadgets (BEXTR/XLAT/STOSB/PEXT): When standard mov write gadgets are unavailable, chain obscure x86 instructions for byte-by-byte memory writes. See rop-and-shellcode.md.
Stack pivot (xchg rax,esp): Swap stack pointer to attacker-controlled heap/buffer when overflow is too small for full ROP chain. Requires pop rax; ret to load pivot address first. See rop-and-shellcode.md.
rdx control: After puts(), rdx is clobbered to 1. Use pop rdx; pop rbx; ret from libc, or re-enter binary's read setup + stack pivot. See rop-and-shellcode.md.
Shell interaction: After execve, sleep(1) then sendline(b'cat /flag*'). See rop-and-shellcode.md.
Pattern: Statically-linked binary with minimal functions and no useful ROP gadgets. The Linux kernel maps a vDSO into every process, containing usable gadgets. Leak vDSO base from AT_SYSINFO_EHDR (auxv type 0x21) on the stack, dump the vDSO, extract gadgets for execve. vDSO is kernel-specific — always dump the remote copy. See rop-advanced.md.
Pattern: Menu create/delete/view where free() doesn't NULL pointer. Create -> leak -> free -> allocate same-size object to overwrite function pointer -> trigger callback. Key: both structs must be same size for tcache reuse. See advanced.md for full exploit code.
Alternative syscalls when seccomp blocks open()/read(): openat() (257), openat2() (437, often missed!), sendfile() (40), readv()/writev(), mmap() (9, map flag file into memory instead of read), pread64() (17).
Check rules: seccomp-tools dump ./binary
See rop-advanced.md for quick reference and advanced.md for conditional buffer address restrictions, shellcode without relocations, scmp_arg_cmp struct layout.
Pattern: Binary reverses input buffer. Pre-reverse shellcode, use partial 6-byte RIP overwrite, trampoline jmp short to NOP sled. See rop-advanced.md.
Writable .fini_array + arbitrary write -> overwrite with win/shellcode address. Works even with Full RELRO. See rop-advanced.md for implementation.
Pattern: Sanitizer skips char after banned char match; double chars to bypass (e.g., ....//....//etc//passwd). Also try /proc/self/fd/3 if binary has flag fd open. See advanced.md.
modprobe_path overwrite (smallkirby/kernelpwn): Overwrite modprobe_path with evil script path, then execve a binary with non-printable first 4 bytes. Kernel runs the script as root. Requires AAW; blocked by CONFIG_STATIC_USERMODEHELPER. See kernel.md.
tty_struct kROP (smallkirby/kernelpwn): open("/dev/ptmx") allocates tty_struct in kmalloc-1024. Overwrite ops with fake vtable → ioctl() hijacks RIP. Build two-phase kROP within tty_struct itself via leave gadget stack pivot. See kernel.md.
userfaultfd race stabilization (smallkirby/kernelpwn): Register mmap'd region with uffd. Kernel page fault blocks the thread → deterministic race window for heap manipulation. See kernel.md.
Heap spray structures: tty_struct (kmalloc-1024, kbase leak), tty_file_private (kmalloc-32, kheap leak), poll_list (variable, arbitrary free via linked list), user_key_payload (variable, add_key() controlled data), seq_operations (kmalloc-32, kbase leak). See kernel.md.
ret2usr (hxp CTF 2020): When SMEP/SMAP are disabled, call prepare_kernel_cred(0) → commit_creds() directly from userland function, then swapgs; iretq to return as root. See kernel.md.
Kernel ROP chain (hxp CTF 2020): With SMEP, build ROP: pop rdi; ret → 0 → prepare_kernel_cred → mov rdi, rax → commit_creds → swapgs → iretq → userland. See kernel.md.
KPTI bypass methods (hxp CTF 2020): Four approaches: swapgs_restore_regs_and_return_to_usermode + 22 trampoline, SIGSEGV signal handler, modprobe_path overwrite via ROP, core_pattern pipe via ROP. See kernel.md.
FGKASLR bypass (hxp CTF 2020): Early .text section gadgets are unaffected. Resolve randomized functions via __ksymtab relative offsets in multi-stage exploit. See kernel.md.
Config recon: Check QEMU script for SMEP/SMAP/KASLR/KPTI. Detect FGKASLR via readelf -S vmlinux section count (30 vs 36000+). Check CONFIG_KALLSYMS_ALL via grep modprobe_path /proc/kallsyms. See kernel.md.
OOB via vulnerable lseek, heap grooming with fork(), SUID exploits. Check CONFIG_SLAB_FREELIST_RANDOM and CONFIG_SLAB_MERGE_DEFAULT. See advanced.md.
Race window extension (DiceCTF 2026): MADV_DONTNEED + mprotect() loop forces repeated page faults during kernel operations touching userland memory, extending race windows from sub-ms to tens of seconds. See kernel-techniques.md.
Cross-cache via CPU split (DiceCTF 2026): Allocate on CPU 0, free from CPU 1 — objects escape dedicated SLUB caches via partial list overflow → buddy allocator. See kernel-techniques.md.
PTE overlap file write (DiceCTF 2026): Reclaim freed page as PTE page, overlap anonymous + file-backed mappings → write through anonymous side modifies file content at physical page level. See kernel-techniques.md.
Pattern: Custom slab allocator + io_uring worker thread. FLUSH frees objects (UAF), type confusion via slab fallback, craft IORING_OP_OPENAT SQE in reused memory. io_uring trusts SQE contents from userland shared memory. See advanced-exploits-2.md.
Pattern: Input validated as int32 (>= 0), cast to int16_t for bounds check. Value 65534 passes int32 check, becomes -2 as int16_t → OOB array access. Use xchg rdi, rax; cld; ret gadget for dynamic fd capture in containerized ORW chains. See advanced-exploits-2.md.
%p.%p.%p.%p.%p.%p | Leak specific: %7$p%n (4-byte), %hn (2-byte), %hhn (1-byte), %lln (8-byte full 64-bit)See format-string.md for GOT overwrite patterns, blind pwn, filter bypass, canary+PIE leak, __free_hook overwrite, and argument retargeting.
When to use: GOT addresses contain bad bytes (e.g., 0x0a). Patch .rela.plt symbol index + .dynsym st_value to redirect function resolution to win(). Bypasses all GOT byte restrictions. See format-string.md for full technique and code.
_IO_wfile_jumps when __free_hook/__malloc_hook removed. Fake FILE with _flags = " sh", vtable chain → system(fp). For SUID binaries: use setcontext() variant to stack pivot → setuid(0) → system() (dash drops privs when uid != euid). See advanced.md.ptr ^ (chunk_addr >> 12).strings libc.so.6 | grep GLIBCHouse of Orange: Corrupt top chunk size → large malloc forces sysmalloc → old top freed without calling free(). Chain with FSOP. See advanced.md.
House of Spirit: Forge fake chunk in target area, free() it, reallocate to get write access. Requires valid size + next chunk size. See advanced.md.
House of Lore: Corrupt smallbin bk → link fake chunk → second malloc returns attacker-controlled address. See advanced.md.
ret2dlresolve: Forge Elf64_Sym/Rela to resolve arbitrary libc function without leak. Ret2dlresolvePayload(elf, symbol="system", args=["/bin/sh"]). Requires Partial RELRO. See advanced.md.
tcache stashing unlink (glibc 2.29+): Corrupt smallbin chunk's bk during tcache stashing → arbitrary address linked into tcache → write primitive. See advanced.md.
See advanced.md for House of Apple 2 FSOP chain (+ setcontext SUID variant), House of Orange/Spirit/Lore, ret2dlresolve, tcache stashing unlink, custom allocator exploitation (nginx pools), heap overlap via base conversion, tree data structure stack underallocation, FSOP + seccomp bypass via openat/mmap/write with mov rsp, rdx stack pivot.
GF(2) Gaussian elimination for tcache poisoning: When a deterministic XOR cipher corrupts heap metadata as a side effect, model the corruption as linear algebra over GF(2). Find a subset of cipher seeds whose combined XOR transforms tcache fd from current value to target address. See advanced-exploits-2.md.
Pattern: Off-by-one in instruction encoding -> misaligned machine code. Embed shellcode as operand bytes of subtraction operations, chain with 2-byte jmp instructions. See advanced.md.
BF JIT unbalanced bracket: Unbalanced ] pops tape address (RWX) from stack → write shellcode to tape with +/-, trigger ] to jump to it. See advanced.md.
Pattern: Interpreter sets wrong type tag → struct fields reinterpreted. Unused padding bytes in one variant become active pointers/data in another. Flag bytes as type value trigger UNKNOWN_DATA dump. See advanced.md.
Pattern: Array index 0 maps to entries[-1], overlapping struct metadata (size field). Corrupted size → OOB read leaks canary/libc, then OOB write places ROP chain. See advanced.md.
Pattern: win() checks if (attempts++ > 0) — needs two calls. Stack two return addresses: p64(win) + p64(win). See advanced.md.
Pattern: Brainfuck/Pikalang interpreter with unbounded tape = arbitrary read/write relative to buffer base. Move pointer to GOT, overwrite byte-by-byte with system(). See advanced.md.
Pattern: Many AAAA records overflow stack buffer in DNS response parser. Set up DNS server with excessive records, overwrite return address. See advanced.md.
Pattern: Binary with AddressSanitizer has format string + OOB write. ASAN may use "fake stack" (50% chance). Leak PIE, detect real vs fake stack, calculate OOB write offset to overwrite return address. See advanced.md.
Pattern (Encodinator): Base85-encoded input in RWX memory passed to printf(). Write shellcode to RWX region, overwrite .fini_array[0] via format string %hn writes. Use convergence loop for base85 argument numbering. See advanced.md.
Pattern: Buffer overflow must preserve known canary value. Write exact canary bytes at correct offset: b'A' * 64 + b'BIRD' + b'X'. See advanced.md.
Pattern (Hashchain): Brute-force MD5 preimages with eb 0c prefix (jmp +12) to skip middle bytes; bytes 14-15 become 2-byte i386 instructions. Build syscall chains from gadgets like 31c0 (xor eax), cd80 (int 0x80). See advanced.md for C code and v2 technique.
AST bypass via f-strings, audit hook bypass with b'flag.txt' (bytes vs str), MRO-based __builtins__ recovery. See sandbox-escape.md.
Pattern: Custom VM with NEWBUF/SLICE/GC opcodes. Slicing creates shared slab reference; dropping+GC'ing slice frees slab while parent still holds it. Allocate function object to reuse slab, leak code pointer via UAF read, overwrite with win() address. See advanced.md.
Pattern: Mark-compact GC follows null references to heap address 0, creating fake object. During compaction, memmove cascades corruption through adjacent object headers → OOB access → libc leak → FSOP. See advanced.md.
Pattern: String processing function with user-controlled stride skips past null terminator, leaking stack canary and return address one byte at a time. Then overflow with leaked values. See overflow-basics.md.
Pattern: When payload must be valid UTF-8 (Rust binaries, JSON parsers), use SROP — only 3 gadgets needed. Multi-byte UTF-8 sequences spanning register field boundaries "fix" high bytes. See rop-advanced.md.
Pattern: Custom VM with OOB read/write in syscalls. Leak PIE via XOR-encoded function pointer, overflow to rewrite pointer with win() ^ KEY. See sandbox-escape.md.
Look for cuse_lowlevel_main() / fuse_main(), backdoor write handlers with command parsing. Exploit to chmod /etc/passwd then modify for root access. See sandbox-escape.md.
Find writable paths via character devices, target /etc/passwd or /etc/sudoers, modify permissions then content. See sandbox-escape.md.
exec<&3;sh>&3 for fd redirection, $0 instead of sh, ls -la /proc/self/fd to find correct fd. See sandbox-escape.md.
Pattern: Small overflow (only RBP + RIP). Overwrite RBP → BSS address, RIP → leave; ret gadget. leave sets RSP = RBP (BSS). Second stage at BSS calls fgets(BSS+offset, large_size, stdin) to load full ROP chain. See rop-advanced.md.
Pattern: Seccomp blocks 64-bit syscalls (open, execve). Use retf gadget to load CS=0x23 (IA-32e compatibility mode). In 32-bit mode, int 0x80 uses different syscall numbers (open=5, read=3, write=4) not covered by the filter. Requires mprotect to make BSS executable for 32-bit shellcode. See rop-advanced.md.
Pattern: No libc leak available. Chain multiple fgets(addr, 7, stdin) calls via ROP to construct fake stdout FILE struct on BSS. Set _IO_write_base to GOT entry, call fflush(stdout) → leaks GOT content → libc base. The 7-byte writes avoid null byte corruption since libc pointer MSBs are already \x00. See advanced-exploits-2.md.
Pattern: Size field stored as signed char, cast to unsigned char for use. size = -112 → (unsigned char)(-112) = 144, overflowing a 127-byte buffer by 17 bytes. Combine with XOR keystream brute-force for byte-precise writes, forge chunk sizes for unsorted bin promotion (libc leak), FSOP stdout for TLS leak, and TLS destructor (__call_tls_dtors) overwrite for RCE. See advanced-exploits-2.md.
__call_tls_dtorsPattern: Alternative to House of Apple 2 on glibc 2.34+. Forge __tls_dtor_list entries with pointer-guard-mangled function pointers: encoded = rol(target ^ pointer_guard, 0x11). Requires leaking pointer guard from TLS segment (via FSOP stdout redirection). Each node calls PTR_DEMANGLE(func)(obj) on exit. See advanced-exploits-2.md.
Pattern (Canvas of Fear): Index formula y * width + x in signed 32-bit int overflows to negative value, passing bounds check and writing backward into heap metadata. Use to corrupt adjacent chunk sizes/pointers, leak libc via unsorted bin, redirect a data pointer to environ for stack leak, then write ROP chain to main's return address. When binary is behind a web API, chain XSS → Fetch API → heap exploit, and inject \n in API parameters for command stacking via sendline().
See advanced-exploits-2.md for full exploit chain, XSS bridge pattern, and RGB pixel write primitive.
Pattern (Revenant): Userland shadow stack in .bss with unbounded pointer. Recurse to advance shadow_stack_ptr past the array into user-controlled memory (e.g., username buffer), write win() there, then overflow the hardware stack return address to match. Both checks pass.
# Iterate (target_addr - shadow_stack_base) // 8 times to overflow pointer
for i in range(512):
io.sendlineafter(b"Survivor name:\n", fit(exe.symbols["win"]))
io.sendlineafter(b"[0] Flee", b"4") # recurse
See advanced-exploits-2.md for full exploit and .bss layout analysis.
Format string leak defeats ASLR. SEH (Structured Exception Handler) overwrite with stack pivot to ROP chain. pushad builds VirtualAlloc call frame for DEP (Data Execution Prevention) bypass. Detached process launcher for shell stability on thread-based servers. See advanced-exploits-2.md.
SeDebugPrivilege + Meterpreter migrate -N winlogon.exe → SYSTEM. See advanced-exploits-2.md.
checksec, one_gadget, ropper, ROPgadget, seccomp-tools dump, strings libc | grep GLIBC. See rop-advanced.md for full command list and pwntools template.