- Disclamair
- House Of Roman
------> 2.1 Assumptions
------> 2.2 Protections
------> 2.3 Quick Walkthrough
------> 2.4 Setting the FD to malloc_hook
------> 2.5 Fixing the 0x71 freelist
------> 2.6 Unsorted Bin attack on malloc_hook
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/ | |
# generate server.xml with the following command: | |
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes | |
# run as follows: | |
# python simple-https-server.py | |
# then in your browser, visit: | |
# https://localhost:4443 | |
import BaseHTTPServer, SimpleHTTPServer | |
import ssl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# | |
# Copyright (c) 2012, Chema Garcia | |
# All rights reserved. | |
# | |
# Redistribution and use in source and binary forms, with or | |
# without modification, are permitted provided that the following | |
# conditions are met: | |
# | |
# * Redistributions of source code must retain the above |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
obj-m += afw.o | |
afw-objs := afw_main.o locate_sct.o ttgl.o | |
ccflags-y := -std=gnu99 -O2 | |
all: | |
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules | |
clean: | |
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE, | |
but do not have a relocation table to allow ASLR to function. | |
usage: checkaslr.py <dir> | |
ex: checkaslr.py "C:\Program Files\" | |
requires: pefile <https://github.com/erocarrera/pefile>, which should be | |
installable via: pip install pefile | |
''' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python2 | |
# -*- coding: utf-8 -*- | |
# The 300 challenge was a heap challenge that allowed you to make allocations of size 0x300. | |
# You could free allocations and read/write to them even after they got freed. | |
# The tricky part about the challenge was that you don't control the size and can't for example use the usual fastbin techniques. | |
# This exploit overwrites the check_action variable so that the libc doesn't abort on errors anymore. | |
# Afterwards we can get a write-what-where primitive using unsafe unlink. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# import Collection | |
bytearray = ().__class__.__base__.__subclasses__()[5] | |
def p64(addr): | |
x = '{0:016x}'.format(addr) | |
return bytearray.fromhex(x)[::-1] | |
b = Collection.Collection({'1':0x1337}) | |
libc_base = id(b) + 0xe27198 - 0x13e0dd0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
#-*- coding: utf-8 -*- | |
from pwn import * | |
import re | |
import sys | |
import string | |
import itertools | |
# UAF in IndexCursor |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <stdlib.h> | |
#define chunksize 0x8 | |
#define fakesize 0x20 | |
#define SIZE_SZ (sizeof(size_t)) | |
#define MALLOC_ALIGN_MASK (2*SIZE_SZ - 1) | |
#define MIN_CHUNK_SIZE 24 /* 64 bit system */ | |
//#define MIN_CHUNK_SIZE 12 /* 32 bit system */ |
I hereby claim:
- I am ducphanduyagentp on github.
- I am dphan0x80 (https://keybase.io/dphan0x80) on keybase.
- I have a public key whose fingerprint is 3796 106E F244 F6C6 EE39 09B3 07A6 7A8D 5C67 96C2
To claim this, I am signing this object: