diff options
Diffstat (limited to 'content/articles/2022-09-25-ductf-file-magic.md')
| -rw-r--r-- | content/articles/2022-09-25-ductf-file-magic.md | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/content/articles/2022-09-25-ductf-file-magic.md b/content/articles/2022-09-25-ductf-file-magic.md index 42d6429..267a707 100644 --- a/content/articles/2022-09-25-ductf-file-magic.md +++ b/content/articles/2022-09-25-ductf-file-magic.md @@ -50,7 +50,7 @@ So for a anything to make it past these check and be executed it must: 1. be a valid 13x37 JPEG image with the pixel at 7,7 set to #070707 2. be a valid ELF binary that reads `./flag.txt` after decrypting with AES CBC, - fixed key and the provided IV + fixed key and the provided IV 3. The IV must contain `DUCTF` ## 1. AES CBC @@ -99,7 +99,7 @@ $$ c = AES(m \oplus IV) \\ AES^{-1}(c) = m \oplus IV \\ -AES^{-1}(c) \oplus m = IV \\ $$ +AES^{-1}(c) \oplus m = IV $$ All blocks after the first are now "uncontrollable" as ciphertext because IV and plaintext are set. @@ -109,12 +109,12 @@ plaintext are set. JPEG consists of a list of _segments_. Each starts with a marker byte (`ff`) followed by a identifier and the length of the segment (if non-zero). -| Identifier | Name | -| ---------- | ---------------------------------------------- | -| `d8` | Start of Image | -| `fe` | Comment | -| `d9` | End of Image | -| ... | _a bunch more that we dont need to know about_ | +| Identifier | Name | +| ---------- | ----------------------------------------------- | +| `d8` | Start of Image | +| `fe` | Comment | +| `d9` | End of Image | +| ... | _a bunch more that you dont need to know about_ | The comment segment is perfect for embedding our ELF binary into JPEG. We can first generate a JPEG image, then insert a _comment_ somewhere containing any |