wumb0 wumb0
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from time import sleep | |
| e = ELF('./dat-boinary') | |
| libc = ELF(args.get('LIBC', './libc.so.6')) | |
| if args.get('REMOTE'): | |
| r = remote("problems.ctfx.io", 1337) | |
| else: | |
| r = process(e.path) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from libformatstr import FormatStr | |
| context.log_level = 'info' | |
| e = ELF("./greeting") | |
| if args.get('REMOTE'): | |
| r = remote('pwn2.chal.ctf.westerns.tokyo', 16317, timeout=10) | |
| else: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from time import sleep | |
| import numpy as np | |
| ''' | |
| this is a format string leak combined with house of force heap exploitation. | |
| You control the amount of memory allocated. So allocating very little space, | |
| then a lot (calculated), then again will allow you to get a pointer to read/write | |
| anywhere you want! | |
| Steps: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BITS 32 | |
| ; flag: RC3-2016-YEAH-DATS-BETTER-BOII | |
| ; based on http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html | |
| org 0x08048000 | |
| ehdr: | |
| db "FLAG" ; e_ident | |
| db 1, 1, 1, 0, 0 | |
| _start: mov ecx,promptsize | |
| jmp main | |
| dw 2 ; e_type |
wumb0
/ col_solve.py
Last active
March 16, 2017 21:06
angr solver for the collision challenge of pwnable.kr
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from angr import Project, surveyors | |
| from sys import exit | |
| import claripy | |
| '''vars | |
| pstr: where the dynamic input will be stored in the state | |
| phcode: the address of hash to collide with (the program loads the correct hash from this address) | |
| find: the address we want the path explorer to find (the "you win" address) | |
| retn: the simulation starts in a function called from main (check_password) but the 'find' address is in main so I need a place to return |
wumb0
/ Set-WmiNamespaceSecurity.ps1
Last active
October 17, 2017 02:57
— forked from exchange12rocks/Set-WmiNamespaceSecurity.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) Microsoft Corporation. All rights reserved. | |
| # For personal use only. Provided AS IS and WITH ALL FAULTS. | |
| # Set-WmiNamespaceSecurity.ps1 | |
| # Example: Set-WmiNamespaceSecurity root/cimv2 add steve Enable,RemoteAccess | |
| # https://blogs.msdn.microsoft.com/wmi/2009/07/27/scripting-wmi-namespace-security-part-3-of-3/ | |
| function Set-WmiNamespaceSecurity { | |
| Param ( |
wumb0
/ indexer.py
Last active
February 27, 2018 05:51
helps index stuff for exams... if they don't give you an index, or the one they provide is bad. tweak as you see fit.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from sqlalchemy import create_engine, Column, Integer, String, func | |
| from sqlalchemy.orm import sessionmaker | |
| from sqlalchemy.ext.declarative import declarative_base | |
| from reportlab.lib.pagesizes import letter | |
| from reportlab.lib.units import cm | |
| from reportlab.pdfgen import canvas | |
| from reportlab.pdfbase.pdfmetrics import stringWidth | |
| import sys | |
| try: |
wumb0
/ extract_pingdata.py
Created
July 13, 2016 19:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from scapy.all import * | |
| import sys | |
| import base64 | |
| # script to extract data from ping padding (http://wumb0.in/ping-exfil.html) | |
| try: | |
| config.conf.iface = sys.argv[2] | |
| except: pass |
wumb0
/ BannedFunctions.py
Created
November 18, 2019 15:33
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This script is a simple script to locate functions within a program | |
| # that are on the Microsoft "banned functions list" inside of banned.h | |
| #@author Jaime Geiger | |
| #@category Vulnerability Research | |
| #@keybinding Ctrl-Shift-Alt-B | |
| #@menupath Tools.Plugins.Banned Functions | |
| banned = ["strcpy","strcpyA","strcpyW","wcscpy","_tcscpy","_mbscpy","StrCpy","StrCpyA","StrCpyW","lstrcpy","lstrcpyA","lstrcpyW","_tccpy","_mbccpy","_ftcscpy","strcat","strcatA","strcatW","wcscat","_tcscat","_mbscat","StrCat","StrCatA","StrCatW","lstrcat","lstrcatA","lstrcatW","StrCatBuff","StrCatBuffA","StrCatBuffW","StrCatChainW","_tccat","_mbccat","_ftcscat","wvsprintf","wvsprintfA","wvsprintfW","vsprintf","_vstprintf","vswprintf","strncpy","wcsncpy","_tcsncpy","_mbsncpy","_mbsnbcpy","StrCpyN","StrCpyNA","StrCpyNW","StrNCpy","strcpynA","StrNCpyA","StrNCpyW","lstrcpyn","lstrcpynA","lstrcpynW","strncat","wcsncat","_tcsncat","_mbsncat","_mbsnbcat","StrCatN","StrCatNA","StrCatNW","StrNCat","StrNCatA","StrNCatW","lstrncat","lstrcatnA","lstrcatnW" |
wumb0
/ MonitorMalware.ps1
Last active
May 16, 2020 00:05
WMI consumer and filter that trigger on a windows defender malware alert with details
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $argss = @{Name="MonitorMalwareFilt";QueryLanguage="WQL";Query="select * from __instancecreationevent within 5 where targetinstance isa 'Malware'";EventNamespace="root\Microsoft\SecurityClient"} | |
| $filt = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $argss | |
| $argss = @{Name="MonitorMalwareCons";CommandLineTemplate="msg * Malware: %TargetInstance.ThreatName% from %TargetInstance.User% at %TargetInstance.Path% (Severity: %TargetInstance.SeverityID%)"} | |
| $cons = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $argss | |
| $argss = @{Filter=$filt;Consumer=$cons} | |
| Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $argss |
OlderNewer