Skip to content

Instantly share code, notes, and snippets.

View 0xKira's full-sized avatar
🤔
antui

Kira233 0xKira

🤔
antui
234 followers · 149 following
View GitHub Profile
@0xKira
0xKira / README.md
Created September 27, 2021 02:56
Solution for 0CTF/TCTF 2021 Final binlog

The challenge uses the Django framework to host a website, and a binary service written in C++ provides data access.

The web service only has one potential vulnerability. It uses Django-redis to store session data. This library uses pickle to serialize data. This is vulnerable if an attacker is able to control both the cache key and data.

Luckily the provided binary service can do them all. You are able to write a blog(cache content) controllable. So the only problem is about the cache key. One obvious difference between the binary and the common ones is, it's compiled with AddressSanitizer to detect memory corruption bugs. And we can check the binary service output from the web interface, even its stderr!

The idea is to retrieve sensitive data from ASAN's bug report. I leave an easy-

@0xKira
0xKira / README.md
Created July 6, 2021 13:10
Solution for 0CTF/TCTF 2021 Quals uc series
@0xKira
0xKira / vscode-unused-workspace-storage-cleanup.sh
Last active November 15, 2020 14:57 — forked from 3v1n0/vscode-unused-workspace-storage-cleanup.sh
VSCode unused workspaceStorage cleanup
#!/bin/bash
CONFIG_PATH=~/Library/ApplicationSupport/Code
for i in $CONFIG_PATH/User/workspaceStorage/*; do
if [ -f $i/workspace.json ]; then
folder="$(python3 -c "import sys, json; print(json.load(open(sys.argv[1], 'r'))['folder'])" $i/workspace.json 2>/dev/null | sed 's#^file://##;s/+/ /g;s/%\(..\)/\\x\1/g;')"
if [ -n "$folder" ] && [ ! -d "$folder" ]; then
echo "Removing workspace $(basename $i) for deleted folder $folder of size $(du -sh $i|cut -f1)"
@0xKira
0xKira / exp_emoji_revenge.py
Created September 27, 2020 05:25
Official solution for 0CTF/TCTF 2020 Finals challenge Emoji Revenge
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__author__ = "Kira / AAA"
from pwn import context, remote, process, ELF
from pwn import pause, log
import sys
context.update(terminal='zsh')
p = None
_remote = False
@0xKira
0xKira / auto-killing.py
Created August 10, 2020 01:59
Auto-killing script for DEF CON 28 CTF challenge rhg
# -*- coding: utf-8 -*-
from pwn import *
from time import sleep
import requests
import json
global map_elems, token, myx, myy
TIMEOUT = 0.5
URL = 'http://10.13.37.1:8080/state.json'
# URL = 'http://10.168.4.66:8080/state.json'
@0xKira
0xKira / fuck-2019-nCov.py
Last active January 25, 2020 13:24
监控丁香医生的实时动态,如有变化自动发送邮件提醒
# -*- coding: utf-8 -*-
import requests
import re
import json
import time
from smtplib import SMTP_SSL
from email.header import Header
from email.mime.text import MIMEText
last_msg_time = None
@0xKira
0xKira / FFmpeg Stack Overflow.md
Last active August 17, 2020 09:27
CVE-2018-9841

vulnerable function:

export from libavfilter/vf_signature.c

static int export(AVFilterContext *ctx, StreamContext *sc, int input)
{
    SignatureContext* sic = ctx->priv;
    char filename[1024];
@0xKira
0xKira / FFmpeg memory leak.md
Last active March 29, 2018 06:07

vulnerable function:

parse_outputs from libavfilter/graphparser.c

static int parse_outputs(const char **buf, AVFilterInOut **curr_inputs,
                         AVFilterInOut **open_inputs,
                         AVFilterInOut **open_outputs, void *log_ctx)
{
    int ret, pad = 0;
@0xKira
0xKira / FFmpeg Infinite Loop.md
Last active May 2, 2018 13:38
CVE-2018-7751

I am trying to open a crafted XML file. And the program keep running without stopping.

In the function svg_probe from libavformat/img2dec.c

static int svg_probe(AVProbeData *p)
{
    const uint8_t *b = p->buf;
    const uint8_t *end = p->buf + p->buf_size;
 if (memcmp(p->buf, "
@0xKira
0xKira / README.md
Last active April 25, 2019 17:06
A DIY Theme for Oh My ZSH

kira-zsh-theme

A DIY Theme for Oh My ZSH

Screenshots

See below

Installation

You can simply copy the code in kira.zsh-theme and save locally.