This gist is a random compilation of Linux kernel repositories used by different companies.
Upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
Android:
Google:
disconnect3d
/ python_poc_trellix_fix.py
Created
April 7, 2023 14:16
Proof of concept on how to exploit the fix/mitigation from TrellixVulnTeam
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Please see https://github.com/python/cpython/issues/74453#issuecomment-1500321322 | |
| for more details | |
| """ | |
| import tarfile | |
| import os | |
| cwd_name = os.path.basename(os.getcwd()) |
disconnect3d
/ sekaictf2022_pwn_hello_world.py
Last active
October 3, 2022 09:53
Solver for pwn hello world task from sekai ctf 2022
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| This is exploit for the SEKAI CTF 2022 PWN Hello World challenge written by Disconnect3d from justCatTheFish | |
| The exploit has few steps: | |
| - leaks a libc address | |
| - computes global canary/cookie address in tls | |
| - uses buffer overflow to overwrite the canary and execute a very small ROP of 3 gadgets (as we can't do more) | |
| - those 3 gadgets call a read(0, rsp - around 8000, 9000) |
Hi! Witaj na stronie sprintu Pwndbg. Poniżej możesz przeczytać opisy przykładowych rzeczy, które można by dodać lub usprawnić w Pwndbg :).
- Repo projektu: https://github.com/pwndbg/pwndbg/
Zadania mają różną trudność i wymagają różnej wiedzy. Prostsze zadania mogą pomóc w rozeznaniu się w strukturze projektu lub różnych schematach, np. jak wygląda "komenda".
PS: Na samym dole dodałem kilka przykładów róznych API w Pwndbg, które mogą się przydać oraz informacji o samym GDB.
disconnect3d
/ Working GDB on macOS 11.md
Created
July 1, 2021 21:02
— forked from mike-myers-tob/Working GDB on macOS 11.md
Steps to get GDB actually working in April 2021 on macOS
The big reason to do this is that LLDB has no ability to "follow-fork-mode child", in other words, a multi-process target that doesn't have a single-process mode (or, a bug that only manifests when in multi-process mode) is going to be difficult or impossible to debug, especially if you have to run the target over and over in order to make the bug manifest. If you have a repeatable bug, no big deal, break on the fork from the parent process and attach to the child in a second lldb instance. Otherwise, read on.
Don't make the mistake of thinking you can just brew install gdb. Currently this is version 10.2 and it's mostly broken, with at least two annoying bugs as of April 29th 2021, but the big one is https://sourceware.org/bugzilla/show_bug.cgi?id=24069
$ xcode-select install # install the XCode command-line tools
disconnect3d
/ subprocess.py
Created
June 20, 2021 10:45
— forked from thomasballinger/subprocess.py
Using a pseudo-terminal to interact with interactive Python in a subprocess
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from subprocess import Popen, PIPE | |
| import pty | |
| import os | |
| from select import select | |
| import sys | |
| import tty | |
| master, slave = pty.openpty() | |
| p = Popen(['python'], stdin=slave, stdout=PIPE, stderr=PIPE) | |
| pin = os.fdopen(master, 'w') |
disconnect3d
/ uql_solver.py
Last active
April 8, 2021 00:27
Solver for the UQL (Universal Query Language) task from Angstrom CTF 2021
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from pwn import * | |
| if args.MOD: | |
| exe = context.binary = ELF('./a.out') # my modified version # the leak below works only on original | |
| else: | |
| exe = context.binary = ELF('./uql') | |
| def start(argv=[], *a, **kw): |
disconnect3d
/ README.md
Created
January 31, 2021 18:45
justCTF [*] 2020 writeups to Go-fs and D0cker by Disconnect3d
In this challenge, we connect to a server which spawns us a Docker container. On the filesystem, there is an oracle.sock with which we have to communicate and we have to find answers to its questions.
➜ pwn_docker git:(master) nc docker-ams32.nc.jctf.pro 1337
Access to this challenge is rate limited via hashcash!
Please use the following command to solve the Proof of Work:
disconnect3d
/ explanation.md
Last active
December 21, 2020 21:05
Pfoten chall solution from hxp 2020 ctf; tl;dr: swap was RW and we had to get privesc through it (we swapped out the pid=1 busybox page; ofc its not super deterministic so we kinda brute this)
1) Linux with globally read & write swapfile There was a minimal linux kernel with not many features in the task and we had a non-privileged shell in it. The init script, which ran busybox, enabled swap, but the swapfile permissions allowed others to read/write it. The init then launched a non-user (uid=1) shell (so, another busybox). The flag file was owned and only readable by root. There was ~80MB of ram and 10MB of swap.
Ofc first idea is "force kernel to read the flag file and swap it" and then read it - but I don't think it is possible. Another idea: make privilege escalation through writable swapfile.
So how do you do it? Kernel memory pages can't be swapped, so you allocate a lot memory in kernel space to fill in available memory and force kernel to swap the init process memory pages. You can allocate kernel memory with its ipc framework available for userspace. You do msgsend(msgget(..)) and each call allows you to allocate ~4kB and you can do 32000 such allocations (usually, depends on
disconnect3d
/ hacklu2020_backdoor_pwn_solver.py
Last active
October 26, 2020 11:35
Solution to Hacklu CTF 2020 "Through the Backdoor" pwn task
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sadly, solved 5min after CTF :( | |
| # Flag: flag{banging_with_my_big_bag_of_backdoors} | |
| import datetime | |
| from pwn import * | |
| from cint import U64 | |
| if args.REMOTE: | |
| p = remote(args.HOST or 'flu.xxx', int(args.PORT or 2030)) | |
| else: | |
| p = process('./run-qemu.sh') |
NewerOlder