wumb0

from scapy.all import *
import sys
import base64

# script to extract data from ping padding (http://wumb0.in/ping-exfil.html)

try:
    config.conf.iface = sys.argv[2]
except: pass

wumb0

from angr import Project, surveyors
from sys import exit
import claripy


'''vars
pstr: where the dynamic input will be stored in the state
phcode: the address of hash to collide with (the program loads the correct hash from this address)
find: the address we want the path explorer to find (the "you win" address)
retn: the simulation starts in a function called from main (check_password) but the 'find' address is in main so I need a place to return

wumb0

from pwn import *
from time import sleep

e = ELF('./dat-boinary')
libc = ELF(args.get('LIBC', './libc.so.6'))

if args.get('REMOTE'):
    r = remote("problems.ctfx.io", 1337)
else:
    r = process(e.path)

wumb0

from pwn import *
from libformatstr import FormatStr

context.log_level = 'info'

e = ELF("./greeting")

if args.get('REMOTE'):
    r = remote('pwn2.chal.ctf.westerns.tokyo', 16317, timeout=10)
else:

wumb0

from pwn import *
from time import sleep
import numpy as np
'''
this is a format string leak combined with house of force heap exploitation.
You control the amount of memory allocated. So allocating very little space, 
then a lot (calculated), then again will allow you to get a pointer to read/write
anywhere you want!

Steps:

wumb0

BITS 32
; flag: RC3-2016-YEAH-DATS-BETTER-BOII
; based on http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
              org     0x08048000
ehdr:
              db      "FLAG"             ; e_ident
              db      1, 1, 1, 0, 0
_start:       mov     ecx,promptsize
              jmp     main
              dw      2                       ; e_type

wumb0

'''asm console via keystone for python 2.7
pip install keystone-engine
python asmconsole.py -a ARM -m LITTLE_ENDIAN -f escape -b 0x000086e4
Little endian arm print escape codes and make base address 0x000086e4
'''

from __future__ import print_function
import keystone
import argparse
from sys import exit

wumb0

# Copyright (c) Microsoft Corporation.  All rights reserved. 
# For personal use only.  Provided AS IS and WITH ALL FAULTS.

# Set-WmiNamespaceSecurity.ps1
# Example: Set-WmiNamespaceSecurity root/cimv2 add steve Enable,RemoteAccess

# https://blogs.msdn.microsoft.com/wmi/2009/07/27/scripting-wmi-namespace-security-part-3-of-3/

function Set-WmiNamespaceSecurity {
    Param (

wumb0

$argss = @{Name="MonitorMalwareFilt";QueryLanguage="WQL";Query="select * from __instancecreationevent within 5 where targetinstance isa 'Malware'";EventNamespace="root\Microsoft\SecurityClient"}
$filt = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $argss
$argss = @{Name="MonitorMalwareCons";CommandLineTemplate="msg * Malware: %TargetInstance.ThreatName% from %TargetInstance.User% at %TargetInstance.Path% (Severity: %TargetInstance.SeverityID%)"}
$cons = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $argss
$argss = @{Filter=$filt;Consumer=$cons}
Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $argss

wumb0

from sqlalchemy import create_engine, Column, Integer, String, func
from sqlalchemy.orm import sessionmaker
from sqlalchemy.ext.declarative import declarative_base
from reportlab.lib.pagesizes import letter
from reportlab.lib.units import cm
from reportlab.pdfgen import canvas
from reportlab.pdfbase.pdfmetrics import stringWidth
import sys

try: