Skip to content

Instantly share code, notes, and snippets.

@c3c
c3c / epaper73_picture_display.py
Created June 8, 2024 20:26
Snipppet for a T8-C3 driving a WaveShare 7.3in ACeP epaper display
# Snipppet for a T8-C3 driving a WaveShare 7.3in ACeP epaper display
# Retrieves pictures from wifi and stream them to the display
# Pictures must be preformatted in GS4_HMSB format
# Updates screen every 4 hours with a new picture
from machine import deepsleep, Pin, SPI
import time
import network
import requests
import random
@c3c
c3c / dotnet-identity-hash.py
Created December 8, 2021 15:45
Conversion of identity hashes
from base64 import b64decode,b64encode
from struct import pack,unpack
from binascii import hexlify
import sys
def u32(x): return unpack(">I", x)[0]
def p32(x): return pack(">I", x)
hash = b64decode(sys.argv[1]).replace(b"-",b"")
@c3c
c3c / Invoke-ZipFolder.ps1
Created June 26, 2018 11:05
Invoke-ZipFolder.ps1
# Invoke-ZipFolder from https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/zipfolder.py
# also works on older PowerShell versions, worrying though that it displays a dialog, see https://github.com/EmpireProject/Empire/issues/135
function Invoke-ZipFolder
{
param([string]$Folder, [string]$ZipFileName)
if (-not (Test-Path $Folder)) {
"Target folder $Folder doesn't exist."
return
}
@c3c
c3c / hackitctf2017-pwn200.py
Created August 27, 2017 17:47
HackIT CTF 2017 Pwn200
# solution for HackIT CTF 2017 pwn200 challenge
# my first ARM exploit :0
# binary is NX + ASLR enabled on the server
# there's a format string vulnerability as well as a buffer overflow
# we can obtain the stack canary through the format string, then perform the overflow.
# since NX is enabled, we have to ROP our way to a shell
# - c3c
from pwn import *
context.arch = 'arm'
@c3c
c3c / redis-lua-linux-x86-poc.py
Created February 24, 2017 09:29
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
@c3c
c3c / rollthedice.py
Last active October 9, 2016 13:59
Hackover CTF rollthedice solution
from pwn import *
from Crypto.Cipher import AES
r = remote("challenges.hackover.h4q.it", 1415)
def decr(key, roll):
return u16(AES.new(key).decrypt(roll)[:2], endian="big")
for i in range(32):
r.recvuntil("My dice roll: ")
@c3c
c3c / ping_gnop.py
Created October 9, 2016 12:41
Hackover CTF ping_gnop solution
from pwn import *
# the binary reverses our payload and checks for a number of bad bytes
# generated a ropchain and modified it to work
def ropchain():
# modified ropchain generated with ropper
# ropper's badbytes option didnt work correctly...
from struct import pack
@c3c
c3c / bookshellf.py
Created October 9, 2016 12:25
Hackover CTF bookshellf solution
from pwn import *
context.os = 'linux'
context.arch = "amd64"
#r = process("./bookshellf")
r = remote("challenges.hackover.h4q.it", 31337)
# using the book 'seek' function we can read past the array boundary and leak memory
# we can leak the stack canary and rbp, then produce an overflow and overwrite rip while pointing to our shellcode (NX is not set)
@c3c
c3c / SimpleHTTPServerWithUpload.py
Last active July 7, 2016 16:54 — forked from UniIsland/SimpleHTTPServerWithUpload.py
Simple Python Http Server with Upload and allowing to bind different addresses
#!/usr/bin/env python
"""Simple HTTP Server With Upload.
This module builds on BaseHTTPServer by implementing the standard GET
and HEAD requests in a fairly straightforward manner.
"""
#!/bin/sh
##
## netscreen/jnpr ssl vpn connection magic
## [email protected] / @oogali
##
## i wrote this about a year ago (2009), when i had continuous access
## to a jnpr ssl vpn box and had to connect via it.
##
## if bits of this script are broken, i'll be glad to fix if someone
## gives me client access to a ssl vpn box to test against.