Skip to content

Instantly share code, notes, and snippets.

View kernullist's full-sized avatar

꿀보 kernullist

39 followers · 34 following
View GitHub Profile
@kernullist
kernullist / script.ps1
Created January 24, 2018 04:41
Hooking MessageBox For No-Prompt Trusted Root Certificate Install
#Verify Not Present
( Get-ChildItem Cert:\CurrentUser\Root | Where-Object {$_.Subject -match "__Interceptor_Trusted_Root" })
#Import-Certificate
( Get-ChildItem -Path C:\Test\thing.cer ) | Import-Certificate -CertStoreLocation cert:\CurrentUser\Root
#Prompted
Remove-Item -Path cert:\CurrentUser\Root\5C205339AE9FA846FA99D3FFF0CDEE65EB8D8E99
@kernullist
kernullist / spectre.c
Created January 8, 2018 04:54 — forked from ErikAugust/spectre.c
Spectre example code
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif
@kernullist
kernullist / Spectre.md
Created January 8, 2018 04:51

Spectre still unfixed, unlike what Intel says

Written by https://twitter.com/never_released , reviewed and corrected by Alex Ionescu

On January 4th, 3 separate vulnerabilities were released, the two first ones being named Spectre (Variant 1 and 2) and the third one being Meltdown (Variant 3).

Intel CPUs are affected by all vulnerabilities, as are Apple A-series CPUs used on iOS devices, nVidia Tegra X2, the ARM Cortex-A75 and the Qualcomm Snapdragon 845 CPUs. CPUs with speculative execution from other manufacturers (other ARM "big" cores, AMD CPUs, PowerPC, ...) are affected by Spectre but not Meltdown.

In-order CPUs (such as ARM Cortex-A7 or ARM Cortex-A53, as are Atoms before 2013) are not affected by Meltdown and Spectre.

@kernullist
kernullist / spectre.c
Created January 5, 2018 08:21 — forked from Badel2/spectre.c
Spectre attack example implementation
/* https://spectreattack.com/spectre.pdf */
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif
@kernullist
kernullist / main.c
Created July 21, 2017 01:55 — forked from hfiref0x/main.c
NtLoadEnclaveData Windows 10 RS3 DSE bypass
#include "global.h"
HINSTANCE g_hInstance;
HANDLE g_ConOut = NULL;
BOOL g_ConsoleOutput = FALSE;
WCHAR g_BE = 0xFEFF;
RTL_OSVERSIONINFOW g_osv;
#define CI_DLL "ci.dll"
@kernullist
kernullist / bin2elf.sh
Created February 20, 2017 01:20 — forked from tangrs/bin2elf.sh
Convert a memory dump/raw binary image into an ELF file
#!/bin/sh
# Convert a raw binary image into an ELF file suitable for loading into a disassembler
cat > raw$$.ld <<EOF
SECTIONS
{
EOF
echo " . = $3;" >> raw$$.ld
@kernullist
kernullist / UACBypass.ps1
Created December 8, 2016 01:33 — forked from mattifestation/UACBypass.ps1
function Invoke-UACBypass {
<#
.SYNOPSIS
Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.
Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@kernullist
kernullist / naughtyc0w.c
Created October 27, 2016 00:52 — forked from mak/naughtyc0w.c
exploit for CVE-2016-5195 nothing fancy
#include <stdio.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <pthread.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <sys/uio.h>
#include <sys/wait.h>