Eldar Marcussen wireghoul

## badrpath.sh
#!/bin/sh
find / \( \( -perm -u+s \) -o \( -perm -g+s \) \) -a -type f 2>/dev/null | while read SUIDFILE
do
        LSFILE=`ls -la "$SUIDFILE"`
        objdump -x "$SUIDFILE" 2>&1| egrep 'RPATH|RUNPATH' | while read name paths
        do
                if [ -n "$paths" ]; then
                         echo "$paths" | tr ":" "\n" | while read RPATHDIR
                         do
                                 if [ "`echo "$RPATHDIR" | cut -c 1`" != "/" ]

## LoadMethodScanner.ps1
# Author: Matthew Graeber (@mattifestation)
# Load dnlib with Add-Type first
# dnlib can be obtained here: https://github.com/0xd4d/dnlib
# Example: ls C:\ -Recurse | Get-AssemblyLoadReference
filter Get-AssemblyLoadReference {
    param (
        [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
        [Alias('FullName')]
        [String]
        [ValidateNotNullOrEmpty()]

## QuickTip1.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              7 stars
            
          
                hugsy
                / QuickTip1.md
            
            
              Last active
              June 18, 2020 22:29
            
              
                Using new syscalls to bypass ptrace-protected process and read/write arbitrary memory.
              
          
    Even though well known methods exist to bypass ptrace deactivation on a process
when spawning (fake ptrace() preloading, breakpoint on ptrace(), etc... ), it is
trickier when process is already protected.
Thankfully Linux 3.2+ was generous enough to provide read/write capabilities to
another process with 2 new system calls: sys_process_vm_readv and
sys_process_vm_writev. (see https://github.com/torvalds/linux/blob/master/arch/x86/syscalls/syscall_64.tbl#L319)
Manual says:

These system calls transfer data between the address space of the calling


## cert-perl-critic-policies.txt
BuiltinFunctions::ProhibitBooleanGrep
BuiltinFunctions::ProhibitStringyEval
BuiltinFunctions::ProhibitStringySplit
BuiltinFunctions::ProhibitUniversalCan
BuiltinFunctions::ProhibitUniversalIsa
ClassHierarchies::ProhibitExplicitISA
ControlStructures::ProhibitMutatingListFunctions
ControlStructures::ProhibitUnreachableCode
ErrorHandling::RequireCarping
InputOutput::ProhibitBarewordFileHandles

## st_upload-exploit.py
#!/usr/bin/env python
# Thu 24 Jun 2010 04:20:52 AM EDT
import httplib
import mimetools
import StringIO

_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"
	#!/bin/sh
	find / \( \( -perm -u+s \) -o \( -perm -g+s \) \) -a -type f 2>/dev/null \| while read SUIDFILE
	do
	LSFILE=`ls -la "$SUIDFILE"`
	objdump -x "$SUIDFILE" 2>&1\| egrep 'RPATH\|RUNPATH' \| while read name paths
	do
	if [ -n "$paths" ]; then
	echo "$paths" \| tr ":" "\n" \| while read RPATHDIR
	do
	if [ "`echo "$RPATHDIR" \| cut -c 1`" != "/" ]
	# Author: Matthew Graeber (@mattifestation)
	# Load dnlib with Add-Type first
	# dnlib can be obtained here: https://github.com/0xd4d/dnlib
	# Example: ls C:\ -Recurse \| Get-AssemblyLoadReference
	filter Get-AssemblyLoadReference {
	param (
	[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
	[Alias('FullName')]
	[String]
	[ValidateNotNullOrEmpty()]
	BuiltinFunctions::ProhibitBooleanGrep
	BuiltinFunctions::ProhibitStringyEval
	BuiltinFunctions::ProhibitStringySplit
	BuiltinFunctions::ProhibitUniversalCan
	BuiltinFunctions::ProhibitUniversalIsa
	ClassHierarchies::ProhibitExplicitISA
	ControlStructures::ProhibitMutatingListFunctions
	ControlStructures::ProhibitUnreachableCode
	ErrorHandling::RequireCarping
	InputOutput::ProhibitBarewordFileHandles
	#!/usr/bin/env python
	# Thu 24 Jun 2010 04:20:52 AM EDT
	import httplib
	import mimetools
	import StringIO

	_boundary = mimetools.choose_boundary()
	_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
	_csamc = "192.168.0.108"