Skip to content

Instantly share code, notes, and snippets.

View itszn's full-sized avatar

Amy itszn

252 followers · 10 following
View GitHub Profile
@itszn
itszn / exploit.html
Last active April 9, 2021 18:31
34c3ctf V9 Exploit
<script>
function gc() { for (let i = 0; i < 0x10; i++) { new ArrayBuffer(0x1000000); } }
var sc = [];
for (var i=0; i<0x480; i++) {
sc.push(0x90);
}
//sc.push(0xcc);
//sc.push(0xeb);
//sc.push(0xfe);
@itszn
itszn / subleq.py
Created October 16, 2017 04:24
Binary Ninja subleq plugin
from binaryninja import (Architecture, RegisterInfo, InstructionInfo,
InstructionTextToken, InstructionTextTokenType, InstructionTextTokenContext,
BranchType,
LowLevelILOperation, LLIL_TEMP,
LowLevelILLabel,
FlagRole,
LowLevelILFlagCondition,
log_error,
CallingConvention,
interaction,
@itszn
itszn / keybase.md
Created August 1, 2017 17:25
keybase.md

Keybase proof

I hereby claim:

  • I am itszn on github.
  • I am itszn (https://keybase.io/itszn) on keybase.
  • I have a public key ASAk2FcK4Zc6VAbULYP0m6uMVMTTBV1Cjr5QEL-4YsLlzgo

To claim this, I am signing this object:

@itszn
itszn / gist:5c6030addaecd041af522a77975e986d
Created December 21, 2016 20:27
Super fast hex encoding
from timeit import timeit
from ctypes import *
'''
libc = CDLL('libc.so.6')
libc.mprotect(0x400000,0x1000,7)
s = "e810000000303132333435363738394142434445465b803f007437c6065c48ffc6c6067848ffc68a074825ff00000048c1e8044801d88a00880648ffc68a074883e00f4801d88a00880648ffc648ffc7ebc4c3".decode('hex')
#s = "\xc3"
libc.memcpy(0x400000, c_char_p(s),len(s))
@itszn
itszn / README.md
Last active November 6, 2016 23:56
Just In Time

Just in Time

300 point
Web
Andrew Fasano

TL;DR;

This challenge can be solved by exploiting the time change from EDT to EST that will happen on Nov 6.

@itszn
itszn / README.txt
Created November 6, 2016 23:31
Fox Sim
This challenge was a source only pwnable based on a aliasing bug with -O2. Also not all the source code was given.
Intended solution outline:
- In the source in assignVotes, a voter and a candidate can become aliased, and -02 optimization causes an incorrect return value.
o If the person is the same as the candidate, it sets the voteMessage to a constant string, which should change votesToGive as well, but the return is incorrect, so it instead returns the original votesToGive value.
o Then when going to print the error message, it instead tries print the votes (if it is > than the address of main)
o This will print what ever point is given, allowing memory to be leaked up to a null
- Now with an arbitrary read, we can dump the binary and reverse the missing code.
- We can also leak libc addresses and dump libc (or take it from some other challenge)
@itszn
itszn / README.txt
Created November 6, 2016 23:25
The Wall
This challenge required that you write cheats for a minecraft clone to bypass a large wall
There are tons of ways to solve this, but here was the main idea.
- There was a function that would on the client side return if a player has certain privileges.
- Most of these were checked by the server as well, with the exception of fly and noclip (and speed walk to an extent)
o Also note, I didn't modify the server to ignore these, Minetest servers just do ¯\_(ツ)_/¯
- You can patch this function to return true, and the client can now toggle these abilities.
However the binary had extra anti-cheat built in