Skip to content

Instantly share code, notes, and snippets.

View elnx's full-sized avatar
🖖
What's happening?

elnx

🖖
What's happening?
194 followers · 1.3k following
  • /dev/null
View GitHub Profile
@elnx
elnx / ioctl_names.cpp
Created October 31, 2023 13:46 — forked from daaximus/ioctl_names.cpp
Most IOCTLs mapped to their code names
typedef struct _ioctl_t
{
const char* ioctl_name;
uint64_t ctl_code;
} ioctl_t;
// This would likely be better used in some unordered map. This is just a temporary data structure for testing resolution.
//
// Results from NtDeviceIoControlFile hook:
// utweb.exe (14916) :: NtDeviceIoControlFile( 0x65c (\Device\Afd), 0x694, 0x0000000000000000, 0x0000000000000000, 0x00000000044DEE90, 0x12024 (IOCTL_AFD_SELECT), 0x0000000004A3FC18, 0x34, 0x0000000004A3FC18, 0x34 )
@elnx
elnx / _.md
Last active September 15, 2021 07:14 — forked from Jinmo/_.md
C/C++ header to IDA

Install

pip install clang
pip install libclang

Usage

In IDAPython,

@elnx
elnx / 0_TL_DR.markdown
Created May 30, 2020 19:33
GNU as assembler (binutils-2.25) type sizes for x86 and x86_64

TL;DR

Integer types

  • .octa 16 bytes on x86_64 and x86
  • .quad 8 bytes on x86_64 and x86
  • .long and .int 4 bytes on x86_64 and x86
  • .word, .short and .hword 2 bytes on x86_64 and x86
  • .byte is, of course, 1 byte on x86_64 and x86

Floating-point types

@elnx
elnx / gist:256eed97cba1711ac914095c952e6e26
Created January 7, 2019 16:28 — forked from wmliang/gist:36b3e6a8d59875cc9f2b20a952bb8890
35c3ctf pwndb exploit
#!/usr/bin/env python
#-*- coding: utf-8 -*-
from pwn import *
import re
import sys
import string
import itertools
# UAF in IndexCursor
@elnx
elnx / Insomnihack_Teaser_2017_winworld_exploit.py
Created January 7, 2019 16:27 — forked from j00ru/Insomnihack_Teaser_2017_winworld_exploit.py
Insomni'hack Teaser 2017 "winworld" exploit by Mateusz "j00ru" Jurczyk
# Insomni'hack Teaser 2017 "winworld" task exploit
#
# Author: Mateusz "j00ru" Jurczyk
# Date: 21 January 2017
#
import os
import random
import string
import sys
import struct
@elnx
elnx / exploit.c
Created October 30, 2018 01:53 — forked from syjcnss/exploit.c
exploit for cred_jar
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <pthread.h>
#define ALLOC_CTX _IO('t', 1)
@elnx
elnx / pwn.js
Created May 8, 2018 15:56 — forked from saelo/pwn.js
Exploit for the "roll a d8" challenge of PlaidCTF 2018
//
// Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018.
// N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d
//
// Scroll down do "BEGIN EXPLOIT" to skip the utility functions.
//
// Copyright (c) 2018 Samuel Groß
//
//
@elnx
elnx / House_of_Roman.md
Created April 28, 2018 08:20 — forked from romanking98/House_of_Roman.md
@elnx
elnx / babyheap.py
Created April 10, 2018 14:34 — forked from yannayl/babyheap.py
0ctf 2018 babyheap challenge exploit
from pwn import *
context.bits = 64
#libc = ELF('./libc-2.23.so')
libc = ELF('./libc-2.24.so')
main = ELF('./babyheap.dbg')
#main = ELF('./babyheap')
#dbg_file = './libc-2.23.debug'
def gdb_load_symbols_cmd(sym_file, elf, base):
@elnx
elnx / babystack.py
Last active April 4, 2018 10:25
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
code = ELF('./babystack')
context.arch = code.arch
context.log_level = 'debug'
gadget = lambda x: next(code.search(asm(x, os='linux', arch=code.arch)))
if len(sys.argv) > 2:
r = remote(sys.argv[1], int(sys.argv[2]))