Skip to content

Instantly share code, notes, and snippets.

View elnx's full-sized avatar
🖖
What's happening?

elnx

🖖
What's happening?
194 followers · 1.3k following
  • /dev/null
View GitHub Profile
@elnx
elnx / ioctl_names.cpp
Created October 31, 2023 13:46 — forked from daaximus/ioctl_names.cpp
Most IOCTLs mapped to their code names
typedef struct _ioctl_t
{
const char* ioctl_name;
uint64_t ctl_code;
} ioctl_t;
// This would likely be better used in some unordered map. This is just a temporary data structure for testing resolution.
//
// Results from NtDeviceIoControlFile hook:
// utweb.exe (14916) :: NtDeviceIoControlFile( 0x65c (\Device\Afd), 0x694, 0x0000000000000000, 0x0000000000000000, 0x00000000044DEE90, 0x12024 (IOCTL_AFD_SELECT), 0x0000000004A3FC18, 0x34, 0x0000000004A3FC18, 0x34 )
@elnx
elnx / _.md
Last active September 15, 2021 07:14 — forked from Jinmo/_.md
C/C++ header to IDA

Install

pip install clang
pip install libclang

Usage

In IDAPython,

@elnx
elnx / 0_TL_DR.markdown
Created May 30, 2020 19:33
GNU as assembler (binutils-2.25) type sizes for x86 and x86_64

TL;DR

Integer types

  • .octa 16 bytes on x86_64 and x86
  • .quad 8 bytes on x86_64 and x86
  • .long and .int 4 bytes on x86_64 and x86
  • .word, .short and .hword 2 bytes on x86_64 and x86
  • .byte is, of course, 1 byte on x86_64 and x86

Floating-point types

@elnx
elnx / gist:256eed97cba1711ac914095c952e6e26
Created January 7, 2019 16:28 — forked from wmliang/gist:36b3e6a8d59875cc9f2b20a952bb8890
35c3ctf pwndb exploit
#!/usr/bin/env python
#-*- coding: utf-8 -*-
from pwn import *
import re
import sys
import string
import itertools
# UAF in IndexCursor
@elnx
elnx / Insomnihack_Teaser_2017_winworld_exploit.py
Created January 7, 2019 16:27 — forked from j00ru/Insomnihack_Teaser_2017_winworld_exploit.py
Insomni'hack Teaser 2017 "winworld" exploit by Mateusz "j00ru" Jurczyk
# Insomni'hack Teaser 2017 "winworld" task exploit
#
# Author: Mateusz "j00ru" Jurczyk
# Date: 21 January 2017
#
import os
import random
import string
import sys
import struct
@elnx
elnx / exploit.c
Created October 30, 2018 01:53 — forked from syjcnss/exploit.c
exploit for cred_jar
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <pthread.h>
#define ALLOC_CTX _IO('t', 1)
@elnx
elnx / pwn.js
Created May 8, 2018 15:56 — forked from saelo/pwn.js
Exploit for the "roll a d8" challenge of PlaidCTF 2018
//
// Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018.
// N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d
//
// Scroll down do "BEGIN EXPLOIT" to skip the utility functions.
//
// Copyright (c) 2018 Samuel Groß
//
//
@elnx
elnx / House_of_Roman.md
Created April 28, 2018 08:20 — forked from romanking98/House_of_Roman.md
@elnx
elnx / babyheap.py
Created April 10, 2018 14:34 — forked from yannayl/babyheap.py
0ctf 2018 babyheap challenge exploit
from pwn import *
context.bits = 64
#libc = ELF('./libc-2.23.so')
libc = ELF('./libc-2.24.so')
main = ELF('./babyheap.dbg')
#main = ELF('./babyheap')
#dbg_file = './libc-2.23.debug'
def gdb_load_symbols_cmd(sym_file, elf, base):
@elnx
elnx / zerofs.c
Created April 2, 2018 03:11 — forked from tarafans/zerofs.c
zerofs.c
/*
config: KASLR + SMEP + RANDOM_STRUCT
In llseek, I only check whether the offset is smaller than file_size or not.
However, the image can be crafted by the attacker. After reversing the disk
layout of the image, the attacker can mount an image which contains a normal
file having file size 0x7fffffffffffffff.
With llseek, kernel memory read and write can be achieved.
But the implemented llseek only supports positive seeking, which means that
the attacker cannot access the data before the buffer of the file.
This creates certain difficulties.