Skip to content

Instantly share code, notes, and snippets.

Avatar
🎯
Focusing

Benno Fünfstück bennofs

🎯
Focusing
View GitHub Profile
View PKGBUILD
# Maintainer GI Jack <GI_Jack@hackermail.com>
pkgname=aflplusplus
pkgver=3.13c
_pkgver=3.13c
pkgrel=1
pkgdesc="afl++ is afl with community patches, AFLfast power schedules, qemu 3.1 upgrade + laf-intel support, MOpt mutators, InsTrim instrumentation, unicorn_mode and a lot more!"
arch=('x86_64')
url="https://github.com/vanhauser-thc/AFLplusplus"
license=('Apache')
View lib.rs
#![allow(unused)]
use std::{collections::HashSet, path::Path};
pub use std::{process::ExitStatus, fs::File, io::Read, net::SocketAddr, net::SocketAddrV4, net::UdpSocket, path::PathBuf, time::Duration, time::Instant};
pub use std::collections::HashMap;
pub use bincode::serialize;
use itertools::izip;
pub use log::*;
use solana_bpf_loader_program::{ThisInstructionMeter, solana_bpf_loader_deprecated_program, solana_bpf_loader_program, solana_bpf_loader_upgradeable_program};
pub use solana_bpf_loader_program::{BPFError, bpf_verifier};
View gist:84d81d43a8ed872dd5600044ef82de06
#![allow(unused)]
use std::{collections::HashSet, path::Path};
pub use std::{process::ExitStatus, fs::File, io::Read, net::SocketAddr, net::SocketAddrV4, net::UdpSocket, path::PathBuf, time::Duration, time::Instant};
pub use std::collections::HashMap;
pub use bincode::serialize;
use itertools::izip;
pub use log::*;
use solana_bpf_loader_program::{ThisInstructionMeter, solana_bpf_loader_deprecated_program, solana_bpf_loader_program, solana_bpf_loader_upgradeable_program};
pub use solana_bpf_loader_program::{BPFError, bpf_verifier};
View _writeup.md

MathSH Writeup

MathSH was a very innovative challenge in the category sandbox escape. Three members of our team - ALLES! - worked for several hours and eventually drew first blood on this challenge. This writeup is split into several parts, namely: dumping the binary, analysing the sandbox, gaining a better primitive for code execution and finally escaping the sandbox.

The description Calculator as a Service (CAAS) already hints to CAS, a legacy .NET technology to run code in various level of trusts.

We are given a restricted "shell" to calculate math expressions:

View script.py
#!/usr/bin/env python3
attack = b'''POSt //admin HTTP/1.1
Connection: Keep-Alive
Cookie: IMPERSONATE=,KEY;KEY
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
username=admin
'''.replace(b'\n',b'\r\n')
View Makefile
always += rockchip/rk3328-rock64.dtb
View config.el
; enable python version switching
(defvar +python-interpreter-executable-history nil
"History list for recently selected python interpreters.")
(defun +set-python-interpreter-executable (command)
"Set the python interpreter for the current buffer to the given executable."
(interactive
(list
(read-shell-command
"Python interpreter: " nil '+python-interpreter-executable-history "python"
View keybase.md

Keybase proof

I hereby claim:

  • I am bennofs on github.
  • I am bennofs (https://keybase.io/bennofs) on keybase.
  • I have a public key ASADrX5aq3SMqRLWif2ffaklwmU4B6AvU0XkuQywqnJqwwo

To claim this, I am signing this object:

View generate-firmware.py
#!/usr/bin/env python3
import argparse
import shutil
import sys
from hashlib import sha256
from zipfile import ZipFile
# download latest OTA from https://www.oneplus.com/support/softwareupgrade
# this has been extracted from OnePlus5TOxygen_43_OTA_038_all_1808082017_453d65d4235346a0.zip
View fuzz.c
#include <glib.h>
#include <pango/pango.h>
#include <pango/pangocairo.h>
#include <fribidi/fribidi.h>
void dumphex(char* ptr, int n) {
while (*ptr && n) {
printf("%02hhx ", *ptr);
ptr += 1;
n -= 1;