Skip to content

Instantly share code, notes, and snippets.

View yarjor's full-sized avatar

yarjor

1 follower · 1 following
View GitHub Profile
@yarjor
yarjor / rop_notes.md
Last active March 15, 2022 02:10
[ROP Notes] #notes #rop #dep #return #exploit #binary

Some notes I wrote to myself concerning making of ROP-chains:

  • Creating a shellcode / pseudo-shellcode before starting to build the ROP-chain is useful and will be a reference of what you need, especially when trying to do something special in the ROP (eg. not execve ;) )
Quick profit with ROP

This is a quick trick to build a ropchain :)

  1. First, you need to find certain gadgets for needed operations:

    a. pop gadget for each of the registers ebx, ecx, edx (for setting them up as arguments for syscall)

b. xor and inc gadgets for eax (for setting up the syscall number)

@yarjor
yarjor / convert_hex.bat
Created October 1, 2018 10:01
[Convert hex file to binary file] #arduino #ihex #avr #re #objcopy
objcopy -O binary -I ihex <input_file> <output_file>
@yarjor
yarjor / check_sections_writeability.sh
Last active October 1, 2018 08:15
[Format String Exploit helpers] #dtors #got #plt #fmt #binary #exploit #objdump
objdump -h <binary>
@yarjor
yarjor / get_ip_control.sh
Created September 30, 2018 11:48
[Get IP control offset] works for simple bof binaries. #eip #overflow #memorycorrupt #binary #radare2 #r2 #systemd #coredump #ragg2 #crash #debruijn
get_eip_control() {
(ragg2 -P 1024 -r | $*) && echo "No eip control found" && return 1
(coredumpctl dump > eip_control.core) 2>/dev/null
local eip=$(r2 -qc "dr eip" eip_control.core | tail -n 1)
echo "Offset to control EIP: $(r2 -qc "wopO $eip" --)"
rm eip_control.core
}
@yarjor
yarjor / detect_cipher.py
Created September 29, 2018 17:48
[Differentiate ECB/CBC] #oracle #detection #crypto #blockcipher #cbc #ecb
def detect_cipher(cipher_box):
chosen_plaintext = 'a' * 16 * 6
cipher_text = cipher_box(chosen_plaintext)
cipher_blocks = divide_blocks(cipher_text, 16)
if len(cipher_blocks) != len(set(cipher_blocks)):
return 'ECB'
else:
return 'CBC'
@yarjor
yarjor / detect_block_size.py
Created September 29, 2018 17:45
[Detect cipher block size] #blockcipher #crypto #oracle #detection
def detect_block_size(cipher_box):
last_size = len(cipher_box('A'))
counter = 0
while True:
counter += 1
new_size = len(cipher_box('A' * counter))
if new_size > last_size:
return new_size - last_size
last_size = new_size
@yarjor
yarjor / cat_file.asm
Last active September 28, 2018 16:03
[Read File to STDOUT x86 Shellcode] #shellcode #sendfile #assembly #x86
BITS 32
/* Zero out registers */
xor ecx, ecx
mul ecx
/* NULL byte */
push ecx
/* push filename */
push 0x73
push 0x7361702e
push 0x2f413363
@yarjor
yarjor / repeat.md
Last active September 26, 2018 12:43
[Bash repeating letters] #bash #exploit #repeat

To enter repeating characters in bash (e.g 42 * 'A'), press alt+<n> where n is the repetition count, then type the repeating character. alt+100 A

@yarjor
yarjor / data_structures.md
Last active September 25, 2018 21:59
[Data Structures in radare2] #r2 #radare2 #C #structures

The most useful feature in r2 for working with data structures is pf commands, which prints formatted data. You can use this command to print data in certain address according to a defined format, and moreover - define specific formats, for repeating structure. The command is used as pf [types] [member1] [member2] [...]. To see all the type code, pf??, and pf??? for some usage examples. To define a type, use pf.[type] [..]. Example:

[0x08048e26]> pf.node ii*? value index (node)next
[0x08048e26]> pf.node @@ obj.node*
 value : 0x0804b230 = 432
 index : 0x0804b234 = 6
 next : (*0x0) NULL
@yarjor
yarjor / patch_xrefs.py
Created September 24, 2018 16:29
[Patch all XREFs] #r2pipe #radare2 #r2 #patch
# WARNING: This is probably bad in most cases, you should first analyze your binary and figure out if you really want to nop out all xrefs...
import r2pipe
import sys
NOP = '90'
def main(binary, location):
r2 = r2pipe.open(binary, ['-w'])
print '[-] Analyzing binary...'