Skip to content

Instantly share code, notes, and snippets.

/*
Question: how hook into the creation of new processes /and/ threads?
Attempt #1: Attach a kprobe to the `execve` syscall
- This works, but will not catch threads created via clone.
Attempt #2: Add an additional kretprobe to the `clone` syscall
- On success, clone returns the newly created thread id. This works fine
until you start dealing with pid namespaces. If clone is called from a
different pid namespace, the return value will only be valid for that
import ctypes, sys, os, string
try:
pid = int(sys.argv[1])
except IndexError:
print >> sys.stderr, "{} <process_id>".format(sys.argv[0])
sys.exit(1)
libc = ctypes.CDLL('/lib/x86_64-linux-gnu/libc.so.6')
libc.process_vm_readv.argtypes = [ctypes.c_uint64, ctypes.c_void_p, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_uint64, ctypes.c_uint64]
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFXrqMIBEADs7PR4iqATlwguGqGLTbUmeUWtjfnyf+ZrEh6P9Xi2MP23qJh4
XHaAOlB0nzgOIvqPGNBa6OU6aUq/timRZY0XRKFGj3pExiq/efkMP5a2QvPTfaPa
L1k0yH4VNzerALIXvrYxVkQmEKeTV1WSp7bOfSGajcvINitLXBaFoVJAoqbmoDTn
vcRIffQOJ7/Kccn0vbrTqqZykYfG68APPjGW08KdbQGAgrSMRMS0gNnbZKQ0PhOf
EoGXXNa9AvKMo15U01v9aC+kZJ+0VmcswIknF+2IugLChuhz5FYxJ9m2t8OJBF1P
RobI86Zgexq83cNSDhSR+I53+VW0uJPHRQhp+AB2l6aspKq+V92QZZ3mcI1NR95J
epFx0DeMbajA3oeKH/9+77kqeS/am+veZZgm4qKe6ziM4xfxsN9090RHq+32NGUt
@ancat
ancat / obese.md
Created July 18, 2017 17:09
obesity spam
Subject: Being a glutton is an awful sin, learn how you can stop living a sinful life and lose excessive weight
From: [email protected]
Date: Jul 15 02:25AM +0200

Our Lord and Savior wants you to stop being obese.
The Bible says that gluttony is an awful sin.
The craving of food can quickly become an idol in our lives.
Anything that takes the place of Lord is a sin against Him (Proverbs 23:2).
@ancat
ancat / caffe.md
Last active March 23, 2018 21:21
instructions for setting up caffe

Setting up Caffe for Running Deepdream on OS X

Dependencies

Use Brew

Install brew and pip (sudo easy_install pip)

brew update
brew install homebrew/science/openblas
@ancat
ancat / pwnable_2.md
Last active December 21, 2015 19:27
wwtw.md

WWTW

Solving the Game

Wibbly wobbly timey wimey, or "wwtw" was a two point pwnable from Defcon quals this year. I worked on this challenge with my teammate, @MarvelousBreadchris. Running it right away shows us a little game screen:

You(^V<>) must find your way to the TARDIS(T) by
avoiding the angels(A).
Go through the exits(E) to get to the next room
from pwn import *
import sys
lei = lambda x: struct.pack('I', x);
stack_chk = 0x0804B01C # location of stack_chk in the got
ret = 0x08048D89 # stack pivot (sub esp, 0x1c; pop; pop; pop; pop; ret;)
live = True
if live:

Kendall

Kendall was a 300 point "red" challenge - an exploitable. This was a pretty involved challenge but it was simple once you realized what you had to do. Launching the binary would start a forking server for some DHCP Management Console.

Playing around with the console, it's clear that authenticating is going to be integral to solving the challenge. The authenticate function opens a password.txt file and compares it with your input. You would probably be able to use the strcmp as a timing oracle to brute force the password, but that's kind of lame.

While reversing, we noticed the same strange function being used to read user input being used everywhere. Strange, mostly because it only accepted a size parameter. It didn't accept a destination buffer nor did it allocate space for one - it just used the same statically sized 128 byte long buffer in the .bss segment.

set $root = 0x804c36c
# first element
break *0x08049030
commands
silent
printf "allocated first_node->name @ 0x%x\n", $eax
continue
end
break *0x0804903D
?<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>http://24.media.tumblr.com</title>