Skip to content

Instantly share code, notes, and snippets.

View k4lizen's full-sized avatar

k4lizen

8 followers · 5 following
View GitHub Profile
@k4lizen
k4lizen / abstr.md
Created March 18, 2025 21:55

Improving Documentation

The documentation in pwndbg is currently lacking and there are multiple facets that could be improved. The README itself could be made shorter with sections being factored out to their own documents/pages accessable via the https://pwndbg.re/ website. Both the https://pwndbg.re/ landing page and https://pwndbg.re/pwndbg/ are generated from the README, using different workflows - they should be merged into one. There are also some bugs like markdown not being rendered properly in certain sections.

The commands page (generated from here) should be combed through so that any missing commands are added or outdated commands updated. Ideally the page should be reworked to show the same help that is shown in the debugger (defined in the command source code and thus always up-to-date) and additionally have longer explanations, common use-cases and examples (sometimes with pictures). Simple examp

@k4lizen
k4lizen / compress.sh
Last active July 12, 2024 14:42
kernel pwn: Compress initramfs with statically linked exploit
#!/bin/bash
# Compress initramfs with the included statically linked exploit
in=$1
out=$(echo $in | awk '{ print substr( $0, 1, length($0)-2 ) }')
gcc $in -static -o $out || exit 255
mv $out initramfs
pushd . && pushd initramfs
find . -print0 | cpio --null --format=newc -o 2>/dev/null | gzip -9 > ../initramfs.cpio.gz
popd
@k4lizen
k4lizen / decompress.sh
Last active July 12, 2024 15:07
kernel pwn: Decompress a .cpio.gz file system (initramfs)
#!/bin/bash
# Decompress a .cpio.gz packed file system
rm -rf ./initramfs
mkdir initramfs
cd initramfs
cp ../initramfs.cpio.gz .
gunzip ./initramfs.cpio.gz
cpio -idm < ./initramfs.cpio
rm initramfs.cpio
echo "Done"
@k4lizen
k4lizen / ptrmangle.py
Last active May 3, 2024 17:29
glibc pointer (de)mangling
# for exit funcs
def shift_right_carry(number: int, shift_amount: int) -> int:
for i in range(shift_amount):
if (number & 1) == 0:
number = number >> 1
else:
number = (number >> 1) | 0x8000000000000000
return number
def shift_left_carry(number: int, shift_amount: int) -> int:
@k4lizen
k4lizen / libc_call.py
Created April 21, 2024 12:23
Using libc (rand, srand) etc using python
from ctypes import CDLL
libc = CDLL("libc.so.6")
now = int(floor(time.time()))
libc.srand(now)
print(libc.rand())
@k4lizen
k4lizen / setcontext32.py
Last active April 13, 2024 02:59
setcontext32 payload to turn arbitrary write to RCE
# from https://hackmd.io/@pepsipu/SyqPbk94a
from pwn import *
def create_ucontext(
src: int,
rsp=0,
rbx=0,
rbp=0,
r12=0,
r13=0,
@k4lizen
k4lizen / elf.py
Created April 12, 2024 01:15
elf.py script for elfcrafting
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# mayhem/datatypes/elf.py
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
@k4lizen
k4lizen / libc-from-dockerfile.sh
Created March 15, 2024 17:27
Get LIBC and intrepreter from Dockerfile
#!/bin/sh
# dependencies: docker and https://github.com/BurntSushi/ripgrep
libc_renamed=libc.so.6
ldlinux_renamed=ld-linux.so
if distro=$(rg -or '$1$2' -- '(?:--from=|FROM )(debian|ubuntu)(\S+)?' Dockerfile); then
if container=$(docker container create "$distro"); then
if libs=$(docker run "$distro" ldd /bin/true); then
libs=$(printf %s "$libs" | awk 'NF == 4 {print $3}; NF == 2 {print $1}')
for lib in $libs; do
case $lib in
@k4lizen
k4lizen / exploit.py
Last active July 20, 2024 07:26
Binary Exploitation template
#!/usr/bin/env python
from pwn import *
HOST = "example.com"
PORT = 1337
using_aslr = False
exe = context.binary = ELF('./chal', checksec=False)
# libc = ELF('./libc.so.6', checksec=False)
# ld = ELF('./ld-linux-x86-64.so.2', checksec=False)
@k4lizen
k4lizen / lexploit.py
Last active March 31, 2024 13:54
Binary Exploitation template with custom LIBC
#!/usr/bin/env python
from pwn import *
def start():
if args.GDB or args.DBG:
return gdb.debug([ld.path, elff.path], gdbinit, aslr=using_aslr, env={"LD_PRELOAD": libc.path})
elif args.REMOTE:
return remote(sys.argv[1], sys.argv[2])
return process([ld.path, elff.path], aslr=using_aslr, env={"LD_PRELOAD": libc.path})