Skip to content

Instantly share code, notes, and snippets.

View brant-ruan's full-sized avatar
:octocat:
不要尖叫

Bonan Ruan brant-ruan

:octocat:
不要尖叫
View GitHub Profile
// gcc -o test_kcov test_kcov.c -static
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <unistd.h>
// KCOV IOCTL 定义
#!/bin/bash
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run as root. Please use 'sudo' to run it."
exit 1
fi
if [ $# -eq 0 ]; then
echo "Usage: $0 <version>"
exit 1
@brant-ruan
brant-ruan / auth.c
Created February 18, 2024 14:26
CVE-2018-1000028 - debugging fs/nfsd/auth.c
int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
{
struct group_info *rqgi;
struct group_info *gi;
struct cred *new;
int i, j;
int flags = nfsexp_flags(rqstp, exp);
validate_process_creds();
/* CGI decoding as C program */
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
int hex_values[256];
void init_hex_values() {
Location = Tuple[str, int]
class Coverage:
"""Track coverage within a `with` block. Use as
```
with Coverage() as cov:
function_to_be_traced()
c = cov.coverage()
```
"""
@brant-ruan
brant-ruan / tfb_cgi_decode.py
Created October 28, 2023 13:29
The Fuzzing Book - cgi_decode.py
def cgi_decode(s: str) -> str:
"""Decode the CGI-encoded string `s`:
* replace '+' by ' '
* replace "%xx" by the character with hex number xx.
Return the decoded string. Raise `ValueError` for invalid inputs."""
# Mapping of hex digits to their integer values
hex_values = {
'0': 0, '1': 1, '2': 2, '3': 3, '4': 4,
'5': 5, '6': 6, '7': 7, '8': 8, '9': 9,
@brant-ruan
brant-ruan / exploit_bypass_kaslr_smap_smep_ret2dir.c
Created February 4, 2023 07:58
ret2dir | Pawnyable LK01-2
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/mman.h>
@brant-ruan
brant-ruan / rds_amd64_ret2dir.c
Created February 3, 2023 15:50
ret2dir | CVE-2010-3904 | by Dan Rosenberg and Vasileios P. Kemerlis
/*
* Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
* CVE-2010-3904
* by Dan Rosenberg <drosenberg@vsecurity.com>
*
* Copyright 2010 Virtual Security Research, LLC
*
* The handling functions for sending and receiving RDS messages
* use unchecked __copy_*_user_inatomic functions without any
* access checks on user-provided pointers. As a result, by
@brant-ruan
brant-ruan / perf-events_amd64_ret2usr.c
Created February 3, 2023 15:20
ret2usr | CVE-2013-2094 | by sorbo
/*
* CVE-2013-2094 exploit x86_64 Linux < 3.8.9
* by sorbo (sorbo@darkircop.org) June 2013
*
* Based on sd's exploit. Supports more targets.
*
*/
#define _GNU_SOURCE
#include <string.h>
@brant-ruan
brant-ruan / perf-events_amd64_ret2dir.c
Last active February 3, 2023 15:16
ret2dir | CVE-2013-2094 | by Vasileios P. Kemerlis
/*
* Linux kernel exploit (privilege escalation)
* CVE-2013-2094 (PERF_EVENTS)
* Vasileios P. Kemerlis <vpk@cs.columbia.edu>
*
* Based on the exploits of `sd', `sorbo', and `spender';
* uses the `ret2dir' technique for bypassing:
* - SMEP+SMAP (Intel)
* - KERNEXEC/UDEREF (PaX)
*