Skip to content

Instantly share code, notes, and snippets.

Samuel Groß saelo

Block or report user

Report or block saelo

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@saelo
saelo / yolo.c
Created May 14, 2018
Exploit for IPWnKit: a macOS IOKit exploit challenge from Defcon Qualifier CTF 2018
View yolo.c
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <pthread.h>
#include <sys/mman.h>
#include <IOKit/IOKitLib.h>
#include <CoreFoundation/CFPropertyList.h>
const char* kMyDriversIOKitClassName = "io_oooverflow_IPwnKit";
@saelo
saelo / ec3_pwn.c
Created May 14, 2018
Exploit for the EC3 qemu escape challenge of Defcon CTF Qualifiers 2018
View ec3_pwn.c
//
// Exploit for the EC3 qemu escape challenge of Defcon CTF Qualifiers 2018
//
// Also see https://kitctf.de/writeups/hitb2017/babyqemu
//
// Copyright (c) 2018 Samuel Groß
//
#include <fcntl.h>
#include <inttypes.h>
@saelo
saelo / pwn.js
Created May 6, 2018
Exploit for the "roll a d8" challenge of PlaidCTF 2018
View pwn.js
//
// Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018.
// N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d
//
// Scroll down do "BEGIN EXPLOIT" to skip the utility functions.
//
// Copyright (c) 2018 Samuel Groß
//
//
@saelo
saelo / pwn.py
Last active May 7, 2018
Exploit for "ragnarok" of HITCON CTF 2017
View pwn.py
#!/usr/bin/env python3
#
# Exploit for "ragnarok" of HITCON CTF 2017.
#
# Bug:
# ----
# In Odin::add_weapon, the following line of code is executed:
#
# cast_spell(shared_ptr<Figure>(this));
#
@saelo
saelo / authorize.swift
Created Jul 6, 2017
Simple program to interact with authd via the macOS authorization API Raw
View authorize.swift
import Foundation
let rightname = "sys.openfile.readonly./tmp/cantread.txt"
var status: OSStatus
var authref: AuthorizationRef?
let flags = AuthorizationFlags([.interactionAllowed, .extendRights, .preAuthorize])
status = AuthorizationCreate(nil, nil, flags, &authref)
assert(status == errAuthorizationSuccess)
@saelo
saelo / pwn.py
Last active Oct 29, 2017
Solution for "assignment" of GoogleCTF 2017
View pwn.py
#!/usr/bin/env python3
#
# Exploit for "assignment" of GoogleCTF 2017
#
# CTF-quality exploit...
#
# Slightly simplified and shortened explanation:
#
# The bug is a UAF of one or both values during add_assign() if a GC is
# triggered during allocate_value(). The exploit first abuses this to leak a
@saelo
saelo / writeup.txt
Last active Jun 14, 2017
No comment... again...
View writeup.txt
# No comment... again...
Playing around with gdb attached to the binary running under wine on Linux, we
search for some of the strings that are printed when running the binary. Near
those, we find a string that looks much like ascii art and ends with a '}', so
this must be the flag. Unfortunately, the string only contains the last few
characters, the start seems to have been overwritten. It appears like the
string has been freed, and the front parts reclaimed by the heap allocator.
Switching to Windows, we set a conditional breakpoint on msvcrt!free which
@saelo
saelo / sploit.c
Created Jun 24, 2015
Exploit for nemo2
View sploit.c
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <errno.h>
#include <signal.h>
#include <pty.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
@saelo
saelo / phpcoll.c
Created May 4, 2015
Find php md5 collisions
View phpcoll.c
/*
* Find php md5 collisions (var_dump(md5('240610708') == md5('QNKCDZO'));)
*
* gcc -Ofast -std=c99 -lcrypto -o phpcoll phpcoll.c
*
* Copyright (c) 2015 Samuel Groß
*/
#include <stdio.h>
#include <unistd.h>
@saelo
saelo / pwn.py
Last active Aug 29, 2015
Solution for "mashed_potato", Codegate CTF 2015
View pwn.py
#!/usr/bin/env python
#coding: UTF-8
import struct
import socket
import telnetlib
import time
import sys
import re
You can’t perform that action at this time.