Marc O'Morain marcomorain

## gist:4119629
mysql> SHOW CREATE TABLE install_tracking_results \G;
*************************** 1. row ***************************
       Table: install_tracking_results
Create Table: CREATE TABLE `install_tracking_results` (
  `game_id` int(11) NOT NULL,
  `segment_id` varchar(255) NOT NULL,
  `target_game_id` int(11) NOT NULL,
  `source` varchar(255) NOT NULL,
  `category` varchar(255) NOT NULL,
  `time` varchar(255) NOT NULL,

## Maps.java
import java.util.Collection;
import java.util.Map;
import java.util.Set;

public class Maps {

    public static <K,V> Map<K,V> withDefaultValue(Map<K,V> map, V defaultValue){
        return new DefaultMap<K, V>(map, defaultValue);
    }


## gist:5507883
mysql> DELETE FROM foo WHERE bar NOT IN (SELECT id FROM baz WHERE qux IN (14, 20, 46));
ERROR 1114 (HY000): The table 'foo' is full

mysql> DELETE FROM foo WHERE bar NOT IN (SELECT id FROM baz WHERE qux IN (14, 20, 46)) LIMIT 10000;
ERROR 3 (HY000): Error writing file '/rdsdbdata/tmp/MLGmPViY' (Errcode: 28)

....

ERROR 20 (HY000): Disk is full writing '/rdsdbdata/log/binlog/mysql-bin-changelog.002204' (Errcode: 28). Waiting for someone to free space... (Expect up to 60 secs delay for server to continue after freeing disk space)

## gist:5723591
0   libsteam.dylib                  0x0a955536 std::_Rb_tree<unsigned int, std::pair<unsigned int const, Grid::TAppEnabledBySubscriptionsInfo>, std::_Select1st<std::pair<unsigned int const, Grid::TAppEnabledBySubscriptionsInfo> >, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, Grid::TAppEnabledBySubscriptionsInfo> > >::find(unsigned int const&) + 32
1   libsteam.dylib                	0x0a94a02b Grid::CAccount::CImpl::GetAppCurrentVersion(unsigned int, std::string*) + 71
2   libsteam.dylib                	0x0a94ce06 Grid::CAccount::EnumerateApp(unsigned int, TSteamApp*) + 180
3   libsteam.dylib                	0x0aa3f142 Grid::InternalSteamEnumerateApp(unsigned int, unsigned int, TSteamApp*, TSteamError*) + 194
4   libsteam.dylib                	0x0a9ddb29 Grid::CEngineLoopbackConnection::EnumerateApp(unsigned int, TSteamApp*, TSteamError*) + 41
5   libsteam.dylib                	0x0aa1dffc SteamEnumerateApp + 203
6   steamui.dylib                 	0x0ae877ea CSteam2CacheManager::UpdateC

## gist:5858275

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                marcomorain
                / gist:5858275
            
            
              Last active
              August 1, 2018 02:55
            
          
    (S)ELF-EXPLOITATION

Jonathan Garrett, Insomniac Games

RATCHET AND CLANK: UP YOUR ARSENAL was an online title which shipped without the ability to patch either code or data. Which was unfortunate.
The game downloads and displays an End User License Agreement each time it’s launched. This is an ascii string stored in a static buffer. This buffer is filled from the server without checking that the size is within the buffer’s capacity.
We exploited this fact to cause the EULA download to overflow the static buffer far enough to also overwrite a known global variable. This variable happened to be the function callback handler for a specific network packet. Once this handler was installed, we could send the network packet to cause a jump to the address in the overwritten global. The address was a pointer to some payload code which was stored earlier in the EULA data.
Valuable data existed between the real end of the EULA buffer and the overwritten global, so the first job of the payload code was to restore

  
## degenerate.css
{
  width: 100%;
}

## Twitter.py
import time
import requests
import json
import base64
from flask import Flask
from flask import jsonify
from flask import Response

consumer_key = 'CONSUMER KEY FOR YOUR APP'
consumer_secret = 'CONSUMER SECRET FOR YOUR APP'

## wat?
parts = [1982, 5, 29]
// => [1982, 5, 29]
// This is my birthday.

new Date(parts)
// => Sat May 29 1982 00:00:00 GMT+0100 (IST)
// Month is 1-based (5 = May)

new Date(parts[0], parts[1], parts[2])
// => Tue Jun 29 1982 00:00:00 GMT+0100 (IST)

## RateLimitedPushManager.java
package com.swrve.push_system;

import com.google.common.util.concurrent.RateLimiter;
import com.relayrides.pushy.apns.ApnsEnvironment;
import com.relayrides.pushy.apns.ApnsPushNotification;
import com.relayrides.pushy.apns.PushManager;
import java.security.KeyStore;
import java.util.Collection;
import scala.actors.threadpool.Arrays;

## csgo crast
Process:         csgo_osx [50248]
Path:            /Users/USER/Library/Application Support/Steam/*/csgo_osx
Identifier:      csgo_osx
Version:         ???
Code Type:       X86 (Native)
Parent Process:  bash [50245]
Responsible:     bash [354]
User ID:         501

Date/Time:       2014-01-02 13:59:11.710 +0000
	mysql> SHOW CREATE TABLE install_tracking_results \G;
	************************* 1. row *************************
	Table: install_tracking_results
	Create Table: CREATE TABLE `install_tracking_results` (
	`game_id` int(11) NOT NULL,
	`segment_id` varchar(255) NOT NULL,
	`target_game_id` int(11) NOT NULL,
	`source` varchar(255) NOT NULL,
	`category` varchar(255) NOT NULL,
	`time` varchar(255) NOT NULL,
	import java.util.Collection;
	import java.util.Map;
	import java.util.Set;

	public class Maps {

	public static <K,V> Map<K,V> withDefaultValue(Map<K,V> map, V defaultValue){
	return new DefaultMap<K, V>(map, defaultValue);
	}
	mysql> DELETE FROM foo WHERE bar NOT IN (SELECT id FROM baz WHERE qux IN (14, 20, 46));
	ERROR 1114 (HY000): The table 'foo' is full

	mysql> DELETE FROM foo WHERE bar NOT IN (SELECT id FROM baz WHERE qux IN (14, 20, 46)) LIMIT 10000;
	ERROR 3 (HY000): Error writing file '/rdsdbdata/tmp/MLGmPViY' (Errcode: 28)

	....

	ERROR 20 (HY000): Disk is full writing '/rdsdbdata/log/binlog/mysql-bin-changelog.002204' (Errcode: 28). Waiting for someone to free space... (Expect up to 60 secs delay for server to continue after freeing disk space)
	0 libsteam.dylib 0x0a955536 std::_Rb_tree<unsigned int, std::pair<unsigned int const, Grid::TAppEnabledBySubscriptionsInfo>, std::_Select1st<std::pair<unsigned int const, Grid::TAppEnabledBySubscriptionsInfo> >, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, Grid::TAppEnabledBySubscriptionsInfo> > >::find(unsigned int const&) + 32
	1 libsteam.dylib 0x0a94a02b Grid::CAccount::CImpl::GetAppCurrentVersion(unsigned int, std::string*) + 71
	2 libsteam.dylib 0x0a94ce06 Grid::CAccount::EnumerateApp(unsigned int, TSteamApp*) + 180
	3 libsteam.dylib 0x0aa3f142 Grid::InternalSteamEnumerateApp(unsigned int, unsigned int, TSteamApp, TSteamError) + 194
	4 libsteam.dylib 0x0a9ddb29 Grid::CEngineLoopbackConnection::EnumerateApp(unsigned int, TSteamApp, TSteamError) + 41
	5 libsteam.dylib 0x0aa1dffc SteamEnumerateApp + 203
	6 steamui.dylib 0x0ae877ea CSteam2CacheManager::UpdateC
	import time
	import requests
	import json
	import base64
	from flask import Flask
	from flask import jsonify
	from flask import Response

	consumer_key = 'CONSUMER KEY FOR YOUR APP'
	consumer_secret = 'CONSUMER SECRET FOR YOUR APP'
	parts = [1982, 5, 29]
	// => [1982, 5, 29]
	// This is my birthday.

	new Date(parts)
	// => Sat May 29 1982 00:00:00 GMT+0100 (IST)
	// Month is 1-based (5 = May)

	new Date(parts[0], parts[1], parts[2])
	// => Tue Jun 29 1982 00:00:00 GMT+0100 (IST)
	package com.swrve.push_system;

	import com.google.common.util.concurrent.RateLimiter;
	import com.relayrides.pushy.apns.ApnsEnvironment;
	import com.relayrides.pushy.apns.ApnsPushNotification;
	import com.relayrides.pushy.apns.PushManager;
	import java.security.KeyStore;
	import java.util.Collection;
	import scala.actors.threadpool.Arrays;
	Process: csgo_osx [50248]
	Path: /Users/USER/Library/Application Support/Steam/*/csgo_osx
	Identifier: csgo_osx
	Version: ???
	Code Type: X86 (Native)
	Parent Process: bash [50245]
	Responsible: bash [354]
	User ID: 501

	Date/Time: 2014-01-02 13:59:11.710 +0000