Skip to content

Instantly share code, notes, and snippets.

View Fuzion24's full-sized avatar
🏠
Working from home

Ryan Welton Fuzion24

🏠
Working from home
579 followers · 94 following
View GitHub Profile
@littlelailo
littlelailo / apollo.txt
Created September 27, 2019 12:04
Apple Bootrom Bug
This bug was also called moonshine in the beginning
Basically the following bug is present in all bootroms I have looked at:
1. When usb is started to get an image over dfu, dfu registers an interface to handle all the commands and allocates a buffer for input and output
2. if you send data to dfu the setup packet is handled by the main code which then calls out to the interface code
3. the interface code verifies that wLength is shorter than the input output buffer length and if that's the case it updates a pointer passed as an argument with a pointer to the input output buffer
4. it then returns wLength which is the length it wants to recieve into the buffer
5. the usb main code then updates a global var with the length and gets ready to recieve the data packages
6. if a data package is recieved it gets written to the input output buffer via the pointer which was passed as an argument and another global variable is used to keep track of how many bytes were recieved already
7. if all the data was recieved th
@astarasikov
astarasikov / convert_teegris_tas.py
Last active April 19, 2024 20:53
Exynos9820 TEEGRIS TZAR unpack script
#!/usr/bin/env python3
# Usage: python convert_teegris_tas.py ~/Downloads/sw/pda/s10/fw/fw_G973FXXU4BTA8/AP/vendor/tee/
import os
import sys
from textwrap import wrap
def teegris_ta_to_elf(path_from, path_to):
with open(path_from, 'rb') as fin:
with open(path_to, 'wb') as fout:
@bazad
bazad / git-xnu.sh
Last active October 4, 2023 06:32
A script to create a git repository for Apple's XNU kernel source.
#! /bin/bash
#
# git-xnu.sh
# Brandon Azad
#
# A script to download Apple's XNU kernel source code and create a git
# repository.
#
XNU_DIR="xnu"
@CTurt
CTurt / nfssvc.c
Last active April 13, 2016 19:08
FreeBSD nfssvc system call integer overflow
/*
PoC for FreeBSD kernel integer overflow in nfssvc system call
Refer to bug report here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206626
System call only accessible as root.
Running this test will panic affected versions of FreeBSD.
clang nfssvc.c -o n
su
@xerub
xerub / prologue.py
Last active July 15, 2022 00:18
AArch64 prologue
# Fix clang function prologues
# WARNING: this WILL patch bytes in the database
#
# Copyright (c) 2015 xerub
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
@smealum
smealum / bin2wav.py
Last active May 25, 2020 22:34
bangai-o soundhax
import sys
import wave
import struct
# bit0 is a single period sine wave at 1024Hz with a given amplitude
# bit1 is the same but with ~2.7 times the amplitude
bits = [[0x00, 0x09, 0x12, 0x1A, 0x21, 0x27, 0x2C, 0x2F, 0x30, 0x2F, 0x2C, 0x27, 0x21, 0x1A, 0x12, 0x09, 0x00, 0xF6, 0xED, 0xE5, 0xDE, 0xD8, 0xD3, 0xD0, 0xD0, 0xD0, 0xD3, 0xD8, 0xDE, 0xE5, 0xED, 0xF6], [0x00, 0x18, 0x30, 0x46, 0x59, 0x69, 0x75, 0x7C, 0x7F, 0x7C, 0x75, 0x69, 0x59, 0x46, 0x30, 0x18, 0x00, 0xE7, 0xCF, 0xB9, 0xA6, 0x96, 0x8A, 0x83, 0x81, 0x83, 0x8A, 0x96, 0xA6, 0xB9, 0xCF, 0xE7]]
bits[0] = [b^0x80 for b in bits[0]]
bits[1] = [b^0x80 for b in bits[1]]
bits[0] = struct.pack('%sB' % len(bits[0]), *bits[0])
anonymous
anonymous / blackmart.markdown
Created December 26, 2014 18:51
Reverse Engineering Blackmart

Hello reddit. Today, I'm going to be reverse engineering the Blackmart app. In case you don't know, Blackmart is an alternative Android app store which allows you to download paid apps for free.

###Redirecting and capturing the traffic### First of all, I will need to redirect the traffic of my tablet to my computer so I can use Wireshark to look at the data. To do this, I use LANS.py. It is a small python script which allows you to do MITM attacks.

LANS.py also shows you the URLs of the pages used by an app. It really helps with reverse-engineering APIs.

After redirecting the traffic to my computer and starting Wireshark, I run the Blackmart app, look at the recent apps section, do 2 searches for terraria and chronometer and download a chronometer app.

After doing these, I stop the capture, save it and start looking at the data.

@fi01
fi01 / cube-towel.c
Last active March 13, 2018 23:54
CVE-2014-3153 exploit code
//Android.mk にて、「LOCAL_CFLAGS := -fno-stack-protector -mno-thumb -O0」を指定すること。
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <pthread.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <linux/futex.h>
@gdisneyleugers
gdisneyleugers / castealer.rb
Created April 11, 2014 07:23
require 'rubygems'
require 'openssl'
require 'digest/md5'
key = OpenSSL::PKey::RSA.new(2048)
cipher = OpenSSL::Cipher::AES.new(256, :CBC)
ctx = OpenSSL::SSL::SSLContext.new
puts "Spoof must be in DER format and saved as root.cer"
raw = File.read "root.cer"
cert = OpenSSL::X509::Certificate.new raw
cert.version = 2
@winocm
winocm / ttbthingy.c
Last active December 18, 2016 11:08
'Shadow mappings', map the kernel as globally user writable memory. Just an example using vm_read/vm_write, plug this into your kernel exploit or whatever and save yourself some time with memory descriptor modification. Also, should make modifying _sysent a breeze.
/*
* Shadowmapping, a way of bypassing iOS 'kernel page bits protection'.
* (ARM32 only for now obviously.)
*
* Also a very nice and easy way of copying data in and out of kernel memory
* by breaking the barrier entirely. Thank you TTBCR and split TTBR0/TTBR1!<3
*
* Control flow goes like this if you have a write anywhere exploit:
*
* - Find location of kernel_pmap (dereference to get kernel_pmap_store.)