Skip to content

Instantly share code, notes, and snippets.

View hugsy's full-sized avatar
:octocat:
‎just hacking on

crazy hugsy hugsy

:octocat:
‎just hacking on
1.1k followers · 179 following
View GitHub Profile
@hugsy
hugsy / FreeBSD-SA-13-06-mmap.c
Created July 5, 2013 11:08
FreeBSD privilege escalation CVE-2013-2171 exploit
/**
* FreeBSD privilege escalation CVE-2013-2171 (credits Konstantin Belousov & Alan Cox)
*
* tested on FreeBSD 9.1
* ref: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc
*
* @_hugsy_
*
* Syntax :
$ id
@hugsy
hugsy / screenshot_browser.py
Last active December 27, 2015 01:28
Headless browser screenshoter
#!/usr/bin/env python2
import os
import sys
import time
import subprocess
try:
from pyvirtualdisplay import Display
except ImportError:
@hugsy
hugsy / fakeid.py
Last active December 14, 2021 00:59
Fake ID generator
import sys, time, requests, bs4
RANDOM_ID_URL = "http://www.fakenamegenerator.com/gen-random-us-us.php"
class RandomPerson:
def __init__(self):
self.soup = bs4.BeautifulSoup(self.get_page_text(), "lxml")
d = self.soup.find("div", "address")
self.firstname, self.lastname = d.h3.string.rsplit(" ", 1)
@hugsy
hugsy / jdwp-shellifier.py
Created December 9, 2013 07:54
Standalone script to universally execute command on an open JDWP service
##############################################################
#
# Universal JDWP shellifier
#
# References
# * http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html
# * http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html
#
# Note: this script DOES NOT read output from command executed on backend. You should
# only use it to create a reverse shell
@hugsy
hugsy / QuickTip1.md
Last active June 18, 2020 22:29
Using new syscalls to bypass ptrace-protected process and read/write arbitrary memory.

Even though well known methods exist to bypass ptrace deactivation on a process when spawning (fake ptrace() preloading, breakpoint on ptrace(), etc... ), it is trickier when process is already protected.

Thankfully Linux 3.2+ was generous enough to provide read/write capabilities to another process with 2 new system calls: sys_process_vm_readv and sys_process_vm_writev. (see https://github.com/torvalds/linux/blob/master/arch/x86/syscalls/syscall_64.tbl#L319)

Manual says:

These system calls transfer data between the address space of the calling

@hugsy
hugsy / disable_rand.c
Last active May 19, 2017 00:28
simple trick to disable rand() on x64
/*
* enferex trick to disable rand() on x64
* @_hugsy_
*/
#include <stdlib.h>
#include <time.h>
#include <dlfcn.h>
#include <stdio.h>
#include <string.h>
@hugsy
hugsy / shellcode_wrapper_linux.c
Last active August 29, 2015 13:57
Moved from private to public
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
@hugsy
hugsy / checksec.c
Last active March 5, 2021 16:31
PE version of checksec.sh
/**
* Poor version of checksec.sh script for PE (checks for ASLR, NX, Integrity, SEH flags)
*
* Copy/Paste commands
* c:\> dir /s /b *.dll > DllList.txt
* c:\> checksec.exe -f DllList.txt > DllList_checksec.txt
*
* @ref
* https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
*/
@hugsy
hugsy / CVE-2014-0195.py
Created June 10, 2014 05:54
#!/usr/bin/env python2
#
# OpenSSL heap overflow PoC
# Found by ZDI - ZDI-14-173 // CVE-2014-0195
# PoC by @_hugsy_
#
# Ref: https://tools.ietf.org/html/rfc6347
#
import socket, struct
@hugsy
hugsy / gist:65899ee6f385fbb112d8
Created July 5, 2014 12:08
exploit for pwn100 of Pwnium CTF2014
import socket
import struct
import sys
#HOST = "192.168.69.71"
HOST = "41.231.53.42"
PORT = 8282
def _s(i):
return struct.pack("<I", i)