Skip to content

Instantly share code, notes, and snippets.

Avatar
🖖
What's happening?

elnx

🖖
What's happening?
View GitHub Profile
@elnx
elnx / _.md
Last active Sep 15, 2021 — forked from Jinmo/_.md
C/C++ header to IDA
View _.md

Install

pip install clang
pip install libclang

Usage

In IDAPython,

@elnx
elnx / 0_TL_DR.markdown
Created May 30, 2020 — forked from steakknife/0_TL_DR.markdown
GNU as assembler (binutils-2.25) type sizes for x86 and x86_64
View 0_TL_DR.markdown

TL;DR

Integer types

  • .octa 16 bytes on x86_64 and x86
  • .quad 8 bytes on x86_64 and x86
  • .long and .int 4 bytes on x86_64 and x86
  • .word, .short and .hword 2 bytes on x86_64 and x86
  • .byte is, of course, 1 byte on x86_64 and x86

Floating-point types

View gist:256eed97cba1711ac914095c952e6e26
#!/usr/bin/env python
#-*- coding: utf-8 -*-
from pwn import *
import re
import sys
import string
import itertools
# UAF in IndexCursor
@elnx
elnx / Insomnihack_Teaser_2017_winworld_exploit.py
Created Jan 7, 2019 — forked from j00ru/Insomnihack_Teaser_2017_winworld_exploit.py
Insomni'hack Teaser 2017 "winworld" exploit by Mateusz "j00ru" Jurczyk
View Insomnihack_Teaser_2017_winworld_exploit.py
# Insomni'hack Teaser 2017 "winworld" task exploit
#
# Author: Mateusz "j00ru" Jurczyk
# Date: 21 January 2017
#
import os
import random
import string
import sys
import struct
@elnx
elnx / exploit.c
Created Oct 30, 2018 — forked from syjcnss/exploit.c
exploit for cred_jar
View exploit.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <pthread.h>
#define ALLOC_CTX _IO('t', 1)
@elnx
elnx / pwn.js
Created May 8, 2018 — forked from saelo/pwn.js
Exploit for the "roll a d8" challenge of PlaidCTF 2018
View pwn.js
//
// Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018.
// N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d
//
// Scroll down do "BEGIN EXPLOIT" to skip the utility functions.
//
// Copyright (c) 2018 Samuel Groß
//
//
@elnx
elnx / babyheap.py
Created Apr 10, 2018 — forked from yannayl/babyheap.py
0ctf 2018 babyheap challenge exploit
View babyheap.py
from pwn import *
context.bits = 64
#libc = ELF('./libc-2.23.so')
libc = ELF('./libc-2.24.so')
main = ELF('./babyheap.dbg')
#main = ELF('./babyheap')
#dbg_file = './libc-2.23.debug'
def gdb_load_symbols_cmd(sym_file, elf, base):
@elnx
elnx / zerofs.c
Created Apr 2, 2018 — forked from tarafans/zerofs.c
zerofs.c
View zerofs.c
/*
config: KASLR + SMEP + RANDOM_STRUCT
In llseek, I only check whether the offset is smaller than file_size or not.
However, the image can be crafted by the attacker. After reversing the disk
layout of the image, the attacker can mount an image which contains a normal
file having file size 0x7fffffffffffffff.
With llseek, kernel memory read and write can be achieved.
But the implemented llseek only supports positive seeking, which means that
the attacker cannot access the data before the buffer of the file.
This creates certain difficulties.
@elnx
elnx / heapstorm2.py
Created Apr 2, 2018 — forked from Jackyxty/heapstorm2.py
Official solution for "Heap Storm II" of 0CTF/TCTF 2018 Quals
View heapstorm2.py
#!/usr/bin/env python
# encoding: utf-8
#flag{Seize it, control it, and exploit it. Welcome to the House of Storm.}
import itertools
from hashlib import sha256
from pwn import remote, process, ELF
from pwn import context
from pwn import p32,p64,u32,u64