Skip to content

Instantly share code, notes, and snippets.

View Mon-ius's full-sized avatar

Monius Mon-ius

View GitHub Profile
Mon-ius / Atom
Last active November 21, 2017 08:49
automatic update by
name = "ddns"
version = "0.1.0"
edition = "2021"
reqwest = { version = "0.11", features = ["blocking", "json"] }
tokio = { version = "1.19.2", features = ["full"] }
regex = "1"
local-ip-address = "0.4.4"

Exploiting Lua 5.1 on x86_64

The following Lua program generates a Lua bytecode program called lua-sandbox-rce.luac, which in turn spawns a shell from within Lua 5.1 sandbox. The remainder of this document attempts to explain how this program works by a whirlwind tour of relevent bits of the Lua 5.1 virtual machine.

function outer()
  local magic -- In bytecode, the stack slot corresponding to this local is changed
  local function middle()
    local co, upval
    local ub1 = {[0] = -- Convert uint8_t to char[1]
Mon-ius / residence.pac
Created June 19, 2023 05:00 — forked from pagxir/residence.pac
proxy auto config for split domain into oversea and big local network.
var _net_count = 15641;
var _net_list = [
{"net": 0x01000000, "prefix": 24}, {"net": 0x01000400, "prefix": 22}, {"net": 0x01001000, "prefix": 20}, {"net": 0x01004000, "prefix": 18},
{"net": 0x01008000, "prefix": 17}, {"net": 0x01010100, "prefix": 24}, {"net": 0x01014000, "prefix": 18}, {"net": 0x01018000, "prefix": 17},
{"net": 0x01020300, "prefix": 24}, {"net": 0x01028000, "prefix": 17}, {"net": 0x01040000, "prefix": 24}, {"net": 0x01048000, "prefix": 17},
{"net": 0x01050000, "prefix": 16}, {"net": 0x01060000, "prefix": 15}, {"net": 0x01090000, "prefix": 16}, {"net": 0x010a0a00, "prefix": 24},
{"net": 0x010a8000, "prefix": 17}, {"net": 0x010b0000, "prefix": 16}, {"net": 0x01100000, "prefix": 13}, {"net": 0x01200000, "prefix": 13},
{"net": 0x01280000, "prefix": 14}, {"net": 0x012c0000, "prefix": 16}, {"net": 0x012e0000, "prefix": 15}, {"net": 0x01340000, "prefix": 14},
{"net": 0x01400000, "prefix": 14}, {"net": 0x01480000, "prefix": 13}, {"net": 0x0160000
Mon-ius /
Created June 24, 2023 05:55 — forked from c3c/
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system"
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
Mon-ius / common.pac
Last active August 5, 2023 06:13
Auto Proxy Configuration file for Steam Socks5 and HTTP
const steamCommonList = [
Mon-ius /
Created January 20, 2024 12:29 — forked from lbrame/
Running rootless unprivileged Podman containers on Arch Linux

Setting up podman rootless containers on Arch Linux

Podman is a container engine that is similar to and fully compatible with Docker that has the peculiarity of not requiring a daemon to run and to allow for rootless containers, which are often deemed safer than privileged containers running as root. Podman is a drop-in replacement for Docker that even supports the same syntax and it has good support from Red Hat.

However, running podman rootless containers on Arch Linux may not be obvious, so I'm writing the instructions I have used to achieve that here.

Podman works using control groups and users from which said containers need to be launched need to be assigned an appropriate range of subordinate user and group IDs. On Arch Linux, these files are not present and they need to be created.

From a root shell:

Mon-ius /
Created February 7, 2024 21:11 — forked from gdamjan/
run a minimal alpine based initramfs in VM machine

in 5 easy steps


get cloud-hypervisor or firecracker


compile a kernel (use the provided x_kernel_config file), you'll need the stripped ELF file in arch/x86/boot/compressed/vmlinux.bin or the compressed bzImage for cloud-hypervisor.

Mon-ius / train.txt
Created February 16, 2024 09:02 — forked from ChenYFan/train.txt
猫娘调教实记 12/8
Mon-ius /
Created February 25, 2024 13:28 — forked from nghia4007/
. "$LIBDIR/"
. "$LIBDIR/"