Skip to content

Instantly share code, notes, and snippets.

View Mon-ius's full-sized avatar
🎯
Focusing

Monius Mon-ius

🎯
Focusing
32 followers · 83 following
View GitHub Profile
@Mon-ius
Mon-ius / redis-lua-linux-x86-poc.py
Created June 24, 2023 05:55 — forked from c3c/redis-lua-linux-x86-poc.py
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
@Mon-ius
Mon-ius / residence.pac
Created June 19, 2023 05:00 — forked from pagxir/residence.pac
proxy auto config for split domain into oversea and big local network.
var _net_count = 15641;
var _net_list = [
{"net": 0x01000000, "prefix": 24}, {"net": 0x01000400, "prefix": 22}, {"net": 0x01001000, "prefix": 20}, {"net": 0x01004000, "prefix": 18},
{"net": 0x01008000, "prefix": 17}, {"net": 0x01010100, "prefix": 24}, {"net": 0x01014000, "prefix": 18}, {"net": 0x01018000, "prefix": 17},
{"net": 0x01020300, "prefix": 24}, {"net": 0x01028000, "prefix": 17}, {"net": 0x01040000, "prefix": 24}, {"net": 0x01048000, "prefix": 17},
{"net": 0x01050000, "prefix": 16}, {"net": 0x01060000, "prefix": 15}, {"net": 0x01090000, "prefix": 16}, {"net": 0x010a0a00, "prefix": 24},
{"net": 0x010a8000, "prefix": 17}, {"net": 0x010b0000, "prefix": 16}, {"net": 0x01100000, "prefix": 13}, {"net": 0x01200000, "prefix": 13},
{"net": 0x01280000, "prefix": 14}, {"net": 0x012c0000, "prefix": 16}, {"net": 0x012e0000, "prefix": 15}, {"net": 0x01340000, "prefix": 14},
{"net": 0x01400000, "prefix": 14}, {"net": 0x01480000, "prefix": 13}, {"net": 0x0160000
@Mon-ius
Mon-ius / Exploiting Lua 5.1 bytecode.md
Created December 9, 2022 21:40 — forked from ulidtko/Exploiting Lua 5.1 bytecode.md

Exploiting Lua 5.1 on x86_64

The following Lua program generates a Lua bytecode program called lua-sandbox-rce.luac, which in turn spawns a shell from within Lua 5.1 sandbox. The remainder of this document attempts to explain how this program works by a whirlwind tour of relevent bits of the Lua 5.1 virtual machine.

function outer()
  local magic -- In bytecode, the stack slot corresponding to this local is changed
  local function middle()
    local co, upval
    local ub1 = {[0] = -- Convert uint8_t to char[1]
@Mon-ius
Mon-ius / common.pac
Last active August 5, 2023 06:13
Auto Proxy Configuration file for Steam Socks5 and HTTP
const steamCommonList = [
"*steamcommunity.com*",
"*.steam-chat.com*",
"*.cm.steampowered.com*",
"*.steamdb.info*",
"*.steamstatic.com*",
"*.zoom.us*",
"*.discord.com*"
]
@Mon-ius
Mon-ius / Cargo.toml
Created June 16, 2022 21:10
DDNS
[package]
name = "ddns"
version = "0.1.0"
edition = "2021"
[dependencies]
reqwest = { version = "0.11", features = ["blocking", "json"] }
tokio = { version = "1.19.2", features = ["full"] }
regex = "1"
local-ip-address = "0.4.4"
@Mon-ius
Mon-ius / Atom
Last active November 21, 2017 08:49
automatic update by http://atom.io/packages/sync-settings
Gist