+------------------+
|These push their | +-----------------------+
|respective syscall| |This overwrites the |
|dispatch functions| |saved dispatch function|
|onto the stack | |with hndl_alltraps |
yrp604
/ xnu-syscall-life-amd64.md
Last active
October 2, 2023 15:59
The life of an XNU unix syscall on amd64
mattifestation
/ drop_binary.bat
Created
July 12, 2015 05:49
Drop binary data from the command line w/o needing PowerShell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo -----BEGIN CERTIFICATE----- > encoded.txt | |
| echo Just Base64 encode your binary data | |
| echo TVoAAA== >> encoded.txt | |
| echo -----END CERTIFICATE----- >> encoded.txt | |
| certutil -decode encoded.txt decoded.bin |
ckuethe
/ gist:c94c045b61867d0979de
Last active
August 29, 2015 14:20
mx53 bootroom hopper annotations
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "0": { | |
| "comm": "\nSection .text\n\nRange 0x0 - 0x4000 (16384 bytes)\nFile offset 65536 (16384 bytes)\n", | |
| "icom": null, | |
| "name": "BOOTROM_BASE", | |
| "seg": 0 | |
| }, | |
| "148": { | |
| "comm": null, | |
| "icom": null, |
anonymous
/ gist:de6b81c556b5dc7cdc8b
Created
February 20, 2015 01:42
Kernel panic in latest OS X in 10 lines of C
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <unistd.h> | |
| #include <mach/mach.h> | |
| #include <mach/mach_vm.h> | |
| #include <mach-o/dyld.h> | |
| int | |
| main (int argc, char * argv[]) | |
| { | |
| volatile char * library; | |
| const mach_vm_size_t page_size = getpagesize (); |
lyonanderson
/ gist:9c47f039cb695e0a9965
Created
February 14, 2015 16:11
Get the DigitalDevceID of a device connected to the lighting port without Jailbreak. See http://ramtin-amin.fr/#tristar for more info on IOAccessoryDigitalID
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| python -c "print '`idevicediagnostics ioreg IOAccessory | grep -A 2 IOAccessoryDigitalID | tail -1`'.strip().decode('base64').encode('hex')" |
christopher-hopper
/ vm-resize-hard-disk.md
Last active
April 5, 2022 10:30
Resize a Hard Disk for a Virtual Machine provisioned using Vagrant from a Linux base box to run using VirutalBox.
Our Virtual Machines are provisioned using Vagrant from a Linux base box to run using VirutalBox. If the Hard Disk space runs out and you cannot remove files to free-up space, you can resize the Hard Disk using some VirtualBox and Linux commands.
The following steps assume you've got a set-up like mine, where:
winocm
/ ttbthingy.c
Last active
December 18, 2016 11:08
'Shadow mappings', map the kernel as globally user writable memory. Just an example using vm_read/vm_write, plug this into your kernel exploit or whatever and save yourself some time with memory descriptor modification. Also, should make modifying _sysent a breeze.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Shadowmapping, a way of bypassing iOS 'kernel page bits protection'. | |
| * (ARM32 only for now obviously.) | |
| * | |
| * Also a very nice and easy way of copying data in and out of kernel memory | |
| * by breaking the barrier entirely. Thank you TTBCR and split TTBR0/TTBR1!<3 | |
| * | |
| * Control flow goes like this if you have a write anywhere exploit: | |
| * | |
| * - Find location of kernel_pmap (dereference to get kernel_pmap_store.) |
rspeer
/ deadbeef_character.py
Last active
June 12, 2023 12:24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| This file contains code that, when run on Python 2.7.5 or earlier, creates | |
| a string that should not exist: u'\Udeadbeef'. That's a single "character" | |
| that's illegal in Python because it's outside the valid Unicode range. | |
| It then uses it to crash various things in the Python standard library and | |
| corrupt a database. | |
| On Python 3... well, this file is full of syntax errors on Python 3. But | |
| if you were to change the print statements and byte literals and stuff: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| file_to_disk = './tmp/large_disk.vdi' | |
| Vagrant::Config.run do |config| | |
| config.vm.box = 'base' | |
| config.vm.customize ['createhd', '--filename', file_to_disk, '--size', 500 * 1024] | |
| config.vm.customize ['storageattach', :id, '--storagectl', 'SATA Controller', '--port', 1, '--device', 0, '--type', 'hdd', '--medium', file_to_disk] | |
| end |