This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# the check function is originally written in python and was fed through grumpy which is python to Go transpiler written by Google (open sourced on github) | |
# the main check function is 2k+~ lines but grumpy code has the somewhat general following pattern: | |
# grumpy_Op() | |
# if error: | |
# multi line of crap and bailout | |
# good path | |
# so we can go faster through it | |
# it checks for our input first to contain 5 part when split('-') is called | |
# then each part is checked to be 5 characters | |
# then it does some basic checking on the parts which are outlined below |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import time | |
import telnetlib | |
import sys | |
import binascii | |
import struct | |
import socket | |
# OOB access inside the ascii art table with \x7f letting us access the first 6 qwords of our input | |
# overwrite return address on stack to make ESP point to our buffer which jumps to system@plt with the stack setup |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import time | |
import telnetlib | |
import sys | |
import binascii | |
import struct | |
import socket | |
HOST = "127.0.0.1" if len(sys.argv) < 2 else sys.argv[1] | |
PORT = 1337 if len(sys.argv) < 2 else int(sys.argv[2]) | |
TARGET = (HOST, PORT) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# the encoding is | |
# first four bits are the depth in the tree encoded | |
# next 8 bits is the character encoded | |
# next X bits is the position in the tree encoded with the depth given by the first four bits | |
# The file has the following structure | |
# Each tree node encoded + 4 bits set to zero + each original character encoded by its position in the tree + few bits at the end | |
bits = [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# Exploit for the BIN 300 (calculator) challenge during HITB AMS CTF | |
# We control 4 bytes every 8 bytes | |
# As Thumb instructions are 2 bytes we can make the processor switch instruction set and use a shellcode | |
# that does one instruction and a short branch to skip the next dword | |
from unicorn import * | |
from unicorn.arm_const import * | |
from keystone import * |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
from pwn import * | |
import time | |
def recv_menu(): | |
return s.recvuntil('>>> ') | |
NewerOlder