Skip to content

Instantly share code, notes, and snippets.

View hhc0null's full-sized avatar

hhc0null hhc0null

51 followers · 39 following
  • japan
View GitHub Profile
@hhc0null
hhc0null / exploit_template.py
Last active October 4, 2015 20:49
exploit template
#!/usr/bin/env python2
import binascii
import re
import socket
import struct
import subprocess
import sys
import telnetlib
import time
@hhc0null
hhc0null / team.c
Last active August 29, 2015 14:18
BackdoorCTF 2015 team-600pts
int sub_80486ad(char *arg0, char *arg1)
{
// Local variables.
char *ebp_80h;
char *ebp_7ch;
int ebp_74h;
ebp_7ch = arg0;
ebp_80h = arg1;
ebp_74h = fopen("flag.txt", "r");
@hhc0null
hhc0null / superman_brainfuck.disas
Last active August 29, 2015 14:18
In progress...
// get origin address.
08077008 E81C060000 call dword 0x8077629
0807700D 83EE05 sub esi,byte +0x5 // esi - 5: 0x8077008
origin = (void *)0x8077008;
sub_08077010()
{
08077010 55 push ebp
08077011 89E5 mov ebp,esp
08077013 81EC00040000 sub esp,0x400
@hhc0null
hhc0null / superman_brainfuck.c
Last active May 26, 2017 16:25
[NDH2k15 Crackme_Reverse-Superman-500pts] The superman is a brain fucker.
// get origin address.
// 08077008 E81C060000 call dword 0x8077629
// 0807700D 83EE05 sub esi,byte +0x5 // esi - 5: 0x8077008
origin = (void *)0x8077008;
int sub_08077010()
{
ebp_c04h = sub_080775B2(origin, 0x621);
if(getuid() != 0) {
sub_08077259(origin+0x628, ebp_c04h);
@hhc0null
hhc0null / 20150415-libseccomp_pseudo_syscall.md
Last active February 26, 2020 21:52
[メモ書き] libsecompのpseudo syscallについて

libsecompのpseudo syscallについて

 PlaidCTF 2014のjackshitを読む際に, libseccompのseccomp_rule_addでsyscallに負数を渡していることが気になったのでメモ書きとして残しておく.

1. Seccomp

 Secure Computing(Seccomp)は, プロセスのサンドボックス化のためのLinuxカーネルの機構である. read/write/exit/sigreturn以外を制限するMode 1はLinuxの2.6.12でマージされた機能である[1].
 Linux 3.5ではMode 2が追加され, 任意のシステムコールの制限が可能となり, 記述もBSD Packet Filter(BPF)を利用することとなった[2].

1.2 libseccomp

 libseccomp[3]は, Seccompを使う上で生じるアーキテクチャ毎の差異などの吸収を行うライブラリである. 現在, x86, ARM, MIPSがサポートされている[4].

@hhc0null
hhc0null / jackshit.c
Last active August 29, 2015 14:19
[PlaidCTF2014 Pwnables200] jackshit
int main(void)
{
// Local variables.
struct passwd *passwd;
gid_t ebp_d0h;
uid_t ebp_cch;
size_t ebp_bch;
int ebp_b8h;
struct sockaddr_in ebp_b4h;
struct sigaction ebp_a4h;
@hhc0null
hhc0null / cryptoserv.c
Created April 18, 2015 17:34
void reset_vm()
{
for(ebp_04h = 0; ebp_04h < 0x10; ebp_04h++) {
bss_804abc0h[ebp_04h] = 0;
}
bss_804ac00h = 0;
}
int opcode_valid(arg_0, arg_4)
{
@hhc0null
hhc0null / quine.c
Last active August 29, 2015 14:19
[Teaser_CONFidence_CTF_2015_Pwning-Quine-400pts] Unsolved.
struct hoge {
char *offset_00h;
int offset_04h; // max length.
int offset_08h; // counter.
}
void sub_804889d(char *arg_0)
{
puts(arg_0);
exit(EXIT_FAILURE);
@hhc0null
hhc0null / tiny_bash.c
Created May 1, 2015 17:47
[VolgaCTF_2015_pwn-bash-125pts]
/*
bash
just another super-puper secure shell
nc bash.2015.volgactf.ru 7777
tiny_bash[http://files.2015.volgactf.ru/bash/tiny_bash]
*/
char *bss_602140h[] = {"flag", "bash", "python", "netcat", "perl", "args", "pico", "echo", "grep", "find", "sudo", "system", "exec", "regexp", "tail", "head", "less", "more"};
@hhc0null
hhc0null / incomplete_exploit.py
Last active August 29, 2015 14:20
[VolgaCTF_2015_pwn-my_little_pwnie-250pts]
#!/usr/bin/env python2
import binascii
import re
import socket
import struct
import subprocess
import sys
import telnetlib
import time