Skip to content

Instantly share code, notes, and snippets.

View bbrod's full-sized avatar

bbrod

19 followers · 27 following
View GitHub Profile
@hfiref0x
hfiref0x / akagi_49a.c
Created August 23, 2018 16:34
UAC bypass using CreateNewLink COM interface
typedef struct tagCREATELINKDATA {
ULONG dwFlags;
WCHAR szLinkName[MAX_PATH]; // + 0x20C
WCHAR szExeName[MAX_PATH]; // + 0x414
WCHAR szParams[MAX_PATH]; // + 0x61C
WCHAR szWorkingDir[MAX_PATH]; // + 0x824
WCHAR szOriginalName[MAX_PATH]; // + 0xA2C
WCHAR szExpExeName[MAX_PATH]; // + 0xC34
WCHAR szProgDesc[MAX_PATH]; // + 0xE3C
WCHAR szFolder[MAX_PATH]; // + 0x1044
@zznop
zznop / mem-loader.asm
Last active June 6, 2025 11:29
Fun little loader shellcode that executes an ELF in-memory using an anonymous file descriptor (inspired by https://x-c3ll.github.io/posts/fileless-memfd_create/)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Copyright (C), zznop, [email protected]
;;;
;;; This software may be modified and distributed under the terms
;;; of the MIT license. See the LICENSE file for details.
;;;
;;; DESCRIPTION
;;;
;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF
@0xgalz
0xgalz / AutoFunc.py
Last active November 20, 2024 07:23
IDAPython- Change Function Names in IDA According to their corresponding debug prints
import idc
import idautils
import idaapi
FUNCTIONS_REGISTERS = {"g_log": "rcx", "g_log_error": "rdx"}
def get_string_for_function(call_func_addr, register):
"""
:param start_addr: The function call address
@jthuraisamy
jthuraisamy / windows-toolkit.md
Last active April 12, 2022 20:00
Windows Toolkit

Windows Toolkit

Binary

Native Binaries

IDA Plugins Preferred Neutral Unreviewed
@jakeajames
jakeajames / patchfinder64.c
Last active February 1, 2025 22:34
"kppless" sandbox profile patch for iOS 12
addr_t Find_platform_profile() {
uint64_t string = Find_strref("\"failed to initialize platform sandbox", 1, 0, false);
if (!string) {
string = Find_strref("\"failed to initialize platform sandbox", 1, 1, false);
if (!string) {
return 0;
}
}
string -= KernDumpBase;
@PsychoTea
PsychoTea / PanicParser.py
Last active June 11, 2023 19:54
A collection of useful iOS-related scripts
import sys
import json
import re
kslide = 0x0
if len(sys.argv) < 2:
print("Usage: PanicParser.py [file path]")
exit()
@zcutlip
zcutlip / lldb-hand-rolled-headers.md
Last active July 21, 2025 06:41
Importing Hand-Rolled C Header Files in LLDB

Importing Hand-Rolled C Header Files in LLDB

Scenario

  • We're debugging a dylib, libhello.dylib
  • The dylib is linked from hello
  • The exported function is helloworld()
  • We do not have source, but have reversed a struct from the library and created a hand-crafted header file

Header File

@0x36
0x36 / jpeg.c
Created March 25, 2020 21:51
#if 0
Reported : 19-Jan-2020
Fixed in iOS 13.4 with CVE-2020-9768
AppleJPEGDriverUserClient : mach port use-after-free/type-confusion via race condition
AppleJPEGDriverUserClient external methods can be used synchronously or asynchronously, when used asynchronously,
it brings the registered mach port (via registerNotificationPort()) and put it inside jpegRequest data structure,
and no reference count was taken for this operation. since registerNotificationPort() is not gated, it is
possible to release the port (if the port got substituted) during the processing of jpeg request and end up
with dangling pointer passed to _mach_msg_send_from_kernel_proper().
@d4em0n
d4em0n / crasher.c
Created October 16, 2020 14:30
Exploit CVE-2020-8835
#define _GNU_SOURCE
#include <err.h>
#include <stdint.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>
@PsychoTea
PsychoTea / ImportR2File.py
Created October 27, 2020 21:04
import idc
def define_func(addr, name):
idc.MakeCode(addr)
idc.MakeFunction(addr)
idc.MakeNameEx(addr, name, idc.SN_NOWARN)
print("%s @ %s" % (name, hex(addr)))