I hereby claim:
- I am bkth on github.
- I am bkth (https://keybase.io/bkth) on keybase.
- I have a public key ASBZHtze7NMvZErOr3XCmUGi5x41XbrfafPY4bJ7fVsfgAo
To claim this, I am signing this object:
#!/usr/bin/python | |
from pwn import * | |
import time | |
def recv_menu(): | |
return s.recvuntil('>>> ') | |
# the encoding is | |
# first four bits are the depth in the tree encoded | |
# next 8 bits is the character encoded | |
# next X bits is the position in the tree encoded with the depth given by the first four bits | |
# The file has the following structure | |
# Each tree node encoded + 4 bits set to zero + each original character encoded by its position in the tree + few bits at the end | |
bits = [] |
import time | |
import telnetlib | |
import sys | |
import binascii | |
import struct | |
import socket | |
HOST = "127.0.0.1" if len(sys.argv) < 2 else sys.argv[1] | |
PORT = 1337 if len(sys.argv) < 2 else int(sys.argv[2]) | |
TARGET = (HOST, PORT) |
import time | |
import telnetlib | |
import sys | |
import binascii | |
import struct | |
import socket | |
# OOB access inside the ascii art table with \x7f letting us access the first 6 qwords of our input | |
# overwrite return address on stack to make ESP point to our buffer which jumps to system@plt with the stack setup |
import time | |
import telnetlib | |
import sys | |
import binascii | |
import struct | |
import socket | |
def info(s): | |
print "[*] %s" % s |
import os | |
import subprocess | |
def run_cmd(s): | |
return subprocess.check_output(s.split()) | |
I hereby claim:
To claim this, I am signing this object:
from z3 import * | |
f = open("source.c", "rb") | |
lines = f.read().split("\n") | |
input_byte = [] |
#!/usr/bin/python | |
# Exploit for the BIN 300 (calculator) challenge during HITB AMS CTF | |
# We control 4 bytes every 8 bytes | |
# As Thumb instructions are 2 bytes we can make the processor switch instruction set and use a shellcode | |
# that does one instruction and a short branch to skip the next dword | |
from unicorn import * | |
from unicorn.arm_const import * | |
from keystone import * |
# the check function is originally written in python and was fed through grumpy which is python to Go transpiler written by Google (open sourced on github) | |
# the main check function is 2k+~ lines but grumpy code has the somewhat general following pattern: | |
# grumpy_Op() | |
# if error: | |
# multi line of crap and bailout | |
# good path | |
# so we can go faster through it | |
# it checks for our input first to contain 5 part when split('-') is called | |
# then each part is checked to be 5 characters | |
# then it does some basic checking on the parts which are outlined below |