Skip to content

Instantly share code, notes, and snippets.

View NSEcho's full-sized avatar
🏍️

NSEcho

🏍️
106 followers · 106 following
View GitHub Profile
@NSEcho
NSEcho / CVE-2023-41902
Last active September 21, 2023 16:06
CVE-2023-41902 - MacUpdater before 3.1.2 and 2.3.8 - Local Privilege Escalation
[Description]
An XPC misconfiguration vulnerability in CoreCode MacUpdater before
2.3.8, and 3.x before 3.1.2, allows attackers to escalate privileges by abusing XPC misconfiguration along with crafting malicious .pkg files
[VulnerabilityType Other]
CWE-269
[Vendor of Product]
CoreCode
@NSEcho
NSEcho / dylder.c
Last active June 21, 2023 20:50
Enumerate all loaded modules using mach_ API and dyld_image_info struct
#include <stdio.h>
#include <stdint.h>
#include <mach-o/loader.h>
#include <mach-o/dyld.h>
#include <mach-o/dyld_images.h>
#include <mach-o/nlist.h>
#include <mach/mach_vm.h>
#include <mach/mach_error.h>
#include <stdlib.h>
@NSEcho
NSEcho / call.md
Created March 22, 2023 09:39
LLDB dlopen and dlsym

Minimal dynamic library with one function in it.

#include <stdio.h>

void hello(const char *name) {
    printf("hello %s\n", name);
}
@NSEcho
NSEcho / pid_for_bundle.m
Created March 4, 2023 18:07
Get PID for bundle identifier
// gcc pid_for_bundle.m -o pid_for_bundle -framework Foundation -framework AppKit
#import <Foundation/Foundation.h>
#import <AppKit/AppKit.h>
int main(int argc, const char **argv) {
if (argc != 2) {
printf("missing bundle identifier\n");
printf("usage: %s com.example.name\n", argv[0]);
exit(-1);
}
@NSEcho
NSEcho / action.yml
Created February 24, 2023 16:34
Sample github workflow to generate pdf from md on every push, the result is in artifacts
# .github/workflows/generate.yml
name: generate pdf
on: [push]
jobs:
generate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: sudo apt-get install pandoc texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra
- run: pip install weasyprint
@NSEcho
NSEcho / patcher.js
Created January 30, 2023 10:31
Simple usage of Memory.patchCode and writer
var Base = Process.getModuleByName("Base");
var baseAddress = Base.base;
var jumpingAddress = ptr("0x50c20").add(baseAddress);
Memory.patchCode(jumpingAddress, 4, code => {
console.log("patchin first");
const writer = new Arm64Writer(code, { pc: jumpingAddress });
writer.putNop();
});
console.log("disassd", Instruction.parse(jumpingAddress));
@NSEcho
NSEcho / goruntime.js
Last active December 29, 2022 19:03
go runtime analysis
let Pointer = Process.pointerSize;
let syms = Process.enumerateModules()[0].enumerateSymbols();
let PCLNTAB = "runtime.pclntab"
let GOBUILDID = "go.buildid"
let GOROOTC = "runtime.defaultGOROOT.str"
let BUILDVERSIONC = "runtime.buildVersion.str"
let FIRSTMODULEDATAC = "runtime.firstmoduledata"
let GOSTRING = "go.string.*"
@NSEcho
NSEcho / manager_async_example.go
Created October 21, 2022 19:59
FridaDeviceManager async implementation
package frida
/*
#include <frida-core.h>
#include <stdlib.h>
typedef struct _usb_device_data {
FridaDeviceManager *manager;
gint timeout;
GCancellable *cancellable;
@NSEcho
NSEcho / replacer.js
Created June 2, 2022 13:43
Replace native function with frida
/*
1. First we need to obtain the aslr value address.
In case we are dealing with the first module we can use something like
var base = Process.enumerateModules()[0].base.sub(ptr('0x100000000'));
If we want it by the name, we can use var base = Module.findBaseAddress("name").base.sub(ptr('0x100000000'));
2. Get the address of the function/method we want to replace
3. Replace it using the Interceptor.replace in format
@NSEcho
NSEcho / dismissUIAlertController.js
Created November 25, 2021 14:18
ObjC.choose(ObjC.classes.UIAlertController, {
onMatch: function(instance) {
ObjC.schedule(ObjC.mainQueue, function() {
instance.dismissViewControllerAnimated_completion_(true, ptr(0x0));
})
},
onComplete: function(){}
})