I hereby claim:
- I am itszn on github.
- I am itszn (https://keybase.io/itszn) on keybase.
- I have a public key ASAk2FcK4Zc6VAbULYP0m6uMVMTTBV1Cjr5QEL-4YsLlzgo
To claim this, I am signing this object:
itszn
/ gist:0eaac8657401d08f3b9d25ffc87875d7
Created
February 26, 2018 17:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 301345b6e7e96c9d37137fbcab602685178e922c81e5da545c7958d9cd3315e9 |
itszn
/ gist:5c6030addaecd041af522a77975e986d
Created
December 21, 2016 20:27
Super fast hex encoding
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from timeit import timeit | |
| from ctypes import * | |
| ''' | |
| libc = CDLL('libc.so.6') | |
| libc.mprotect(0x400000,0x1000,7) | |
| s = "e810000000303132333435363738394142434445465b803f007437c6065c48ffc6c6067848ffc68a074825ff00000048c1e8044801d88a00880648ffc68a074883e00f4801d88a00880648ffc648ffc7ebc4c3".decode('hex') | |
| #s = "\xc3" | |
| libc.memcpy(0x400000, c_char_p(s),len(s)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This challenge was a source only pwnable based on a aliasing bug with -O2. Also not all the source code was given. | |
| Intended solution outline: | |
| - In the source in assignVotes, a voter and a candidate can become aliased, and -02 optimization causes an incorrect return value. | |
| o If the person is the same as the candidate, it sets the voteMessage to a constant string, which should change votesToGive as well, but the return is incorrect, so it instead returns the original votesToGive value. | |
| o Then when going to print the error message, it instead tries print the votes (if it is > than the address of main) | |
| o This will print what ever point is given, allowing memory to be leaked up to a null | |
| - Now with an arbitrary read, we can dump the binary and reverse the missing code. | |
| - We can also leak libc addresses and dump libc (or take it from some other challenge) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This challenge required that you write cheats for a minecraft clone to bypass a large wall | |
| There are tons of ways to solve this, but here was the main idea. | |
| - There was a function that would on the client side return if a player has certain privileges. | |
| - Most of these were checked by the server as well, with the exception of fly and noclip (and speed walk to an extent) | |
| o Also note, I didn't modify the server to ignore these, Minetest servers just do ¯\_(ツ)_/¯ | |
| - You can patch this function to return true, and the client can now toggle these abilities. | |
| However the binary had extra anti-cheat built in |
NewerOlder