Skip to content

Instantly share code, notes, and snippets.


Gareth Jones symm

Block or report user

Report or block symm

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
hfiref0x / akagi_58a.c
Created Oct 23, 2019
UAC bypass using EditionUpgradeManager COM interface
View akagi_58a.c
typedef interface IEditionUpgradeManager IEditionUpgradeManager;
typedef struct IEditionUpgradeManagerVtbl {
__RPC__in IEditionUpgradeManager * This,
__RPC__in REFIID riid,
lizthegrey / attributes.rb
Last active Nov 4, 2019
Hardening SSH with 2fa
View attributes.rb
default['sshd']['sshd_config']['AuthenticationMethods'] = 'publickey,keyboard-interactive:pam'
default['sshd']['sshd_config']['ChallengeResponseAuthentication'] = 'yes'
default['sshd']['sshd_config']['PasswordAuthentication'] = 'no'
mattifestation / LoadInMemoryModule.ps1
Created Mar 30, 2018
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method
View LoadInMemoryModule.ps1
$Domain = [AppDomain]::CurrentDomain
$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly')
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule')
# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into.
$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll')
$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public)

Root OnePlus5 without unlocking the bootloader

Gain adb root.

$ adb shell am start -n --es "code" "angela"

Download Magisk-v14.0 and extract it somewhere. Download MagiskManager.

sators / connect.php
Last active Feb 25, 2019
PHP MySQLi Amazon Aurora RDS EC2 IAM Role Based Authentication
View connect.php
/********* CONFIG ********/
$clusterEndpoint = "";
$clusterPort = 3306;
$clusterRegion = "us-east-1";
$dbUsername = "";
$dbDatabase = "";
konsumer / radioreference2SDRTouchPresets.js
Last active Nov 6, 2019
Build SDRTouch Presets from radioreference site
View radioreference2SDRTouchPresets.js
// Put this into Developer console
// on a page like
function tableToJs ($table) {
const headers = $('th', $table).map((i, th) => $(th).text().trim())
const out = []
$('tr', $table).each((i, tr) => {
const row = {}
$('td', tr).map((i, td) => {
row[ headers[i] ] = $(td).text()
View chat-frontend.js
"use strict";
// for better performance - to avoid searching in DOM
const inputElement = document.getElementById('input');
const contentElement = document.getElementById('content');
const statusElement = document.getElementById('status');
// my color assigned by the server
var myColor = false;
// my name sent to the server
egirault /
Last active Oct 22, 2019
Dumping the flash memory of the Syscan 2015 badge

Dumping the flash of the Syscan 2015 badge

The badge of the Syscan 2015 conference included an ARM-based STM32F030R8 processor running some challenges. Although SWD pins are accessible on the badge, some have noted that the STM32 is readout-protected, meaning that it will refuse to dump its flash memory.

Fortunately, two researchers (Johannes Obermaier and Stefan Tatschner) recently published a paper at the WOOT '17 conference, in which they reveal a vulnerability allowing to bypass the readout protection. Their technique allows to dump the flash one DWORD at a time, rebooting the CPU between each access.

I implemented this attack using a BusPirate and the PySWD module. Here is a quick'n dirty PoC to

alexellis /
Last active Nov 10, 2019
K8s on Raspbian
View clock-example.php
* This is the clock interface. It's really simple, you write it once, use it anywhere.
* Cool extra things you can do:
* - have it return custom value objects
* - separate method for currentDate() without time part
interface Clock
You can’t perform that action at this time.