Lucas Leong wmliang
wmliang
/ gist:36b3e6a8d59875cc9f2b20a952bb8890
Created
December 30, 2018 22:38
35c3ctf pwndb exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| #-*- coding: utf-8 -*- | |
| from pwn import * | |
| import re | |
| import sys | |
| import string | |
| import itertools | |
| # UAF in IndexCursor |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // TestGraphicDrv.cpp : Defines the entry point for the console application. | |
| // | |
| #include "stdafx.h" | |
| #include <windows.h> | |
| #include <d3dkmthk.h> | |
| #include <d3d11.h> | |
| #if defined _M_X64 | |
| #define TRAMPOLINE_BYTES 12 | |
| #elif defined _M_IX86 |
wmliang
/ x86_kernel_ret.asm
Created
December 4, 2016 19:26
— forked from zeroSteiner/x86_kernel_ret.asm
x86 Kernel Return to nt!KiSystemServicePostCall
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [BITS 32] | |
| ; This shellcode is meant to be executed in the kernel just after the token has | |
| ; been stolen. It walks up the stack looking for the first frame which returns | |
| ; to userland and returns into the one just before it. This is presumably | |
| ; nt!KiSystemServicePostCall which will clean up the operation before returning | |
| ; to userland. | |
| ; This shell code clobbers ecx, ebx and sets eax to 0 for the return value. |