Skip to content

Instantly share code, notes, and snippets.

View zachriggle's full-sized avatar

Zach Riggle zachriggle

487 followers · 177 following
View GitHub Profile
@zachriggle
zachriggle / README.md
Last active June 15, 2016 02:51

DEFCON Quals 2016 Pwnable -- GladOS

The write-up is basically the exploit.

@zachriggle
zachriggle / README.md
Last active May 25, 2016 07:20
DEFCON CTF Qualifiers 2016 -- heapfun4u Exploit

DEFCON CTF Qualifiers 2016 -- heapfun4u Exploit Write-Up

The write-up is the exploit.

Example Output

[*] './heapfun4u'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
@zachriggle
zachriggle / parse.py
Last active January 4, 2016 17:29
world_wide_something
import scapy, struct, socket, binascii, logging
from scapy.all import *
from collections import defaultdict
#
# Entry
#
def USBIP(PacketData):
if PacketData[:2] == '\x01\x11':
@zachriggle
zachriggle / gist:5659055
Created May 27, 2013 20:58
schemadump 192.168.1.79
msf auxiliary(mysql_schemadump) > run
[*] Schema stored in: /Users/zachriggle/.msf4/loot/20130527165753_default_192.168.1.79_mysql_schema_235782.txt
[+] MySQL Server Schema
Host: 192.168.1.79
Port: 3306
====================
---
- DBName: BadApple
@zachriggle
zachriggle / portscan.txt
Last active December 17, 2015 19:09
unalloctf portscan
~ ⮀ sudo nmap -sT -T Insane -P0 -A 192.168.1.2 192.168.1.66 192.168.1.79 192.168.1.80 192.168.1.117 192.168.1.213 192.168.1.214 192.168.1.254 -v -v --privileged
Starting Nmap 6.25 ( http://nmap.org ) at 2013-05-27 14:58 EDT
NSE: Loaded 106 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Initiating Parallel DNS resolution of 8 hosts. at 14:58
Completed Parallel DNS resolution of 8 hosts. at 14:58, 0.74s elapsed
Initiating Connect Scan at 14:58
@zachriggle
zachriggle / tabspace.py
Created September 14, 2011 15:36
Tabs and Spaces
# Leading Tabs, align with tabs
print "Hello" # Comment
print "Hello, world" # Comment
# Leading tabs, align with space
print "Hello" # Comment
print "Hello, world" # Comment
@zachriggle
zachriggle / gist:939024
Created April 23, 2011 22:12
#!/usr/bin/python
import md5, sys
h = '\x8b\x07Y\x98!\n\x1a\xc8\x86\xe8G\x0f\x9a\x8b[\xc0'.encode('hex')
def chk(s):
print s
if (md5.new(s).hexdigest() == h):
sys.exit()
@zachriggle
zachriggle / wat.md
Created November 29, 2014 05:19

gdb-peda$ x/i $pc => 0xf763d100 <__libc_system>: push ebx gdb-peda$ telescope $sp 2 00:0000| esp 0x188340de --> 0x8048c0d (add esp,0x10) 01:0004| 0x188340e2 --> 0x188340f2 ("/tmp/note||bash") gdb-peda$ continue ... Stopped reason: SIGSEGV 0xf763ce3c in do_system (line=0x188340f2 "/tmp/note||bash") at ../sysdeps/posix/system.c:153

@zachriggle
zachriggle / gist:a363d271b29ab5943f64
Created October 13, 2014 07:54
>>> class A(object): pass
...
>>> a = A()
>>> a.__len__ = lambda: 3
>>> a.__len__()
3
>>> len(a)
Traceback (most recent call last):
...
TypeError: object of type 'A' has no len()
@zachriggle
zachriggle / patch.py
Created June 25, 2014 18:10
Applies IDA Patches to Binaries
import argparse
import fileinput
import re
import binascii
import struct
unhex = binascii.unhexlify
u32 = lambda x: struct.unpack('>L', x)[0]
hexa = r'[0-9A-F]'
pattern = r'(%s{8}): (%s{2}) (%s{2})' % (hexa, hexa, hexa)