Skip to content

Instantly share code, notes, and snippets.

View WGH-'s full-sized avatar

WGH WGH-

23 followers · 1 following
View GitHub Profile
@WGH-
WGH- / README.md
Last active April 4, 2017 18:54
2manypkts writeup (Nuit du Hack CTF Quals 2017)

The task is a remote x86_64 binary (both binary and libc were provided), and is marked with "pwn" and "network". So the goal is to exploit some vulnerability to obtain a shell.

They're actually two parts of the task, named 2manypkts-v1 and 2manypkts-v2 respectively.

The binary has somewhat trivial stack buffer overflow vulnerability. In the first part, you can just overflow the buffer up to (and beyond) main return address, and employ well-known ROP technique. The second part is harder: main never returns, but buffer can also overwrite some other variables, including several pointers to heap variables, which would allow to call realloc with arbitrary arguments.

@WGH-
WGH- / convert_bindsyms.py
Created October 30, 2016 20:42
#!/usr/bin/env python3
import sys
import pprint
import re
import subprocess
def get_mapping():
p = subprocess.Popen(["xmodmap", "-pke"], stdout=subprocess.PIPE)
@WGH-
WGH- / fix.py
Last active January 14, 2016 01:48
Useful TLMC scripts
#!/usr/bin/env python3
# encoding: utf-8
import sys
import os
import codecs
import errno
@WGH-
WGH- / self_exploit.py
Created October 12, 2015 13:17
Self-exploiting exploit
#!/usr/bin/python2
import sys
from pwn import *
def find_libc_path_and_offset():
with open("/proc/self/maps") as f:
for line in f:
line = line.strip()
@WGH-
WGH- / tlmc_fix.py
Created July 9, 2014 17:01
#!/usr/bin/env python2
# encoding: utf-8
import sys
import os
import codecs
import errno
@WGH-
WGH- / decompile.py
Last active January 3, 2016 18:39
A wrapper script that can be used to conveniently check the assembly/LLVM IR of given C/C++ source. Example usage: ./decompile.py clang -emit-llvm -O2 test.cpp | less
#!/usr/bin/env python3
import os
import sys
import subprocess
import tempfile
import contextlib
@contextlib.contextmanager