Skip to content

Instantly share code, notes, and snippets.

View hook_processes_and_threads.c
/*
Question: how hook into the creation of new processes /and/ threads?
Attempt #1: Attach a kprobe to the `execve` syscall
- This works, but will not catch threads created via clone.
Attempt #2: Add an additional kretprobe to the `clone` syscall
- On success, clone returns the newly created thread id. This works fine
until you start dealing with pid namespaces. If clone is called from a
different pid namespace, the return value will only be valid for that
View get_memory_strings.py
import ctypes, sys, os, string
try:
pid = int(sys.argv[1])
except IndexError:
print >> sys.stderr, "{} <process_id>".format(sys.argv[0])
sys.exit(1)
libc = ctypes.CDLL('/lib/x86_64-linux-gnu/libc.so.6')
libc.process_vm_readv.argtypes = [ctypes.c_uint64, ctypes.c_void_p, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_uint64, ctypes.c_uint64]
View what.docx
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFXrqMIBEADs7PR4iqATlwguGqGLTbUmeUWtjfnyf+ZrEh6P9Xi2MP23qJh4
XHaAOlB0nzgOIvqPGNBa6OU6aUq/timRZY0XRKFGj3pExiq/efkMP5a2QvPTfaPa
L1k0yH4VNzerALIXvrYxVkQmEKeTV1WSp7bOfSGajcvINitLXBaFoVJAoqbmoDTn
vcRIffQOJ7/Kccn0vbrTqqZykYfG68APPjGW08KdbQGAgrSMRMS0gNnbZKQ0PhOf
EoGXXNa9AvKMo15U01v9aC+kZJ+0VmcswIknF+2IugLChuhz5FYxJ9m2t8OJBF1P
RobI86Zgexq83cNSDhSR+I53+VW0uJPHRQhp+AB2l6aspKq+V92QZZ3mcI1NR95J
epFx0DeMbajA3oeKH/9+77kqeS/am+veZZgm4qKe6ziM4xfxsN9090RHq+32NGUt
@ancat
ancat / obese.md
Created Jul 18, 2017
obesity spam
View obese.md
Subject: Being a glutton is an awful sin, learn how you can stop living a sinful life and lose excessive weight
From: ziggydog@xplornet.com
Date: Jul 15 02:25AM +0200

Our Lord and Savior wants you to stop being obese.
The Bible says that gluttony is an awful sin.
The craving of food can quickly become an idol in our lives.
Anything that takes the place of Lord is a sin against Him (Proverbs 23:2).
@ancat
ancat / caffe.md
Last active Mar 23, 2018
instructions for setting up caffe
View caffe.md

Setting up Caffe for Running Deepdream on OS X

Dependencies

Use Brew

Install brew and pip (sudo easy_install pip)

brew update
brew install homebrew/science/openblas
View pwnable_2.md

WWTW

Solving the Game

Wibbly wobbly timey wimey, or "wwtw" was a two point pwnable from Defcon quals this year. I worked on this challenge with my teammate, @MarvelousBreadchris. Running it right away shows us a little game screen:

You(^V<>) must find your way to the TARDIS(T) by
avoiding the angels(A).
Go through the exits(E) to get to the next room
View exploit250.py
from pwn import *
import sys
lei = lambda x: struct.pack('I', x);
stack_chk = 0x0804B01C # location of stack_chk in the got
ret = 0x08048D89 # stack pivot (sub esp, 0x1c; pop; pop; pop; pop; ret;)
live = True
if live:
View Kendall.md

Kendall

Kendall was a 300 point "red" challenge - an exploitable. This was a pretty involved challenge but it was simple once you realized what you had to do. Launching the binary would start a forking server for some DHCP Management Console.

Playing around with the console, it's clear that authenticating is going to be integral to solving the challenge. The authenticate function opens a password.txt file and compares it with your input. You would probably be able to use the strcmp as a timing oracle to brute force the password, but that's kind of lame.

While reversing, we noticed the same strange function being used to read user input being used everywhere. Strange, mostly because it only accepted a size parameter. It didn't accept a destination buffer nor did it allocate space for one - it just used the same statically sized 128 byte long buffer in the .bss segment.

View gist:0d4b7f8740ae6faa6cc3
set $root = 0x804c36c
# first element
break *0x08049030
commands
silent
printf "allocated first_node->name @ 0x%x\n", $eax
continue
end
break *0x0804903D
View gist:11164195
?<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>http://24.media.tumblr.com</title>