lcfr-eth

/*
 * gro_frag.c — LPE via GRO managed-frag UAF (io_uring SEND_ZC + veth)
 *
 * The bug: skb_gro_receive() copies frag descriptors from a ZC skb
 * (SKBFL_MANAGED_FRAG_REFS → no per-frag page refs) into a non-ZC
 * GRO accumulator.  When the accumulator is freed, skb_release_data()
 * calls put_page() on each frag — including the stolen ones that never
 * had get_page() called.  This gives us one extra put_page per merged
 * ZC frag: a refcount underflow.
 *

lcfr-eth

/*
 * sockmap_lpe_ktls.c — full LPE via kTLS + sockmap page cache corruption
 *
 * https://lore.kernel.org/stable/20260517121626.406516-1-rollkingzzc@gmail.com/
 *
 * Works on ALL kernels 4.18+ (including 6.5+ where sendpage was removed).
 *
 * Chain: sendfile → tls_sw_sendmsg(MSG_SPLICE_PAGES)
 *        → tls_sw_sendmsg_splice → sk_msg_page_add(msg_pl, page)
 *        → bpf_exec_tx_verdict(msg_pl)

lcfr-eth

import magic
import r2pipe
import hashlib
import argparse
import subprocess
from unicorn import *
from unicorn.x86_const import *
# from udbserver import *    # uncomment this line if you want to debug

def pad_size(size):

lcfr-eth

import polars as pl
import typer
import re

app = typer.Typer(help="""Contract Query Tool""")

@app.command("bytes")
def find_code(
    code: str = typer.Argument(..., help="Bytes/string pattern to search for"),
    init: bool = typer.Option(False, "--init", "-i", help="Search in init_code instead of runtime code"),

lcfr-eth

924 days ago (Oct-22-2022 01:41:11 AM UTC)
{"evt_tx_hash":"0x6293113475f1fdd7079727d88ec4951a57ed7fbcd72567b25b52ad79767d07bd","name":"\u003cscript\u003ealert(\"xss\")\u003c/script\u003e"},
820 days ago (Feb-03-2023 08:45:59 AM UTC)
{"evt_tx_hash":"0x0c2232ce1a7fdcd9f3db20881eb9e42340b2d1afdb716a19be7bf524c80860c1","name":"\u003cscript\u003ealert(/Hey there/)\u003c/script\u003e"},
810 days ago (Feb-13-2023 02:03:23 PM UTC)
{"evt_tx_hash":"0xfd8df3795190abf1ba4fe03bea4c6c6691cbc43a78e7dcc52d17b40b786e3924","name":"\u003cscript\u003ealert('plsgibgoodbountythx')\u003c/script\u003e"},
810 days ago (Feb-13-2023 12:54:23 PM UTC)
{"evt_tx_hash":"0x8fbbc2b3a835d54c63a370c55bd1274ac9c64cb1dd26ef9540644c23db8d2022","name":"\u003cscript\u003ealert('lcfr.eth')\u003c/script\u003e"},
810 days ago (Feb-13-2023 01:00:23 AM UTC)
{"evt_tx_hash":"0x97fc5acbd7e1897ff6b2dd0b73628024036299851fa35d66d0aba357fcdead9b","name":"\u003cscript\u003e$=1,alert($)\u003c/script\u003e"},

lcfr-eth

┌───────────────────┐
│ 371 Code Findings │
└───────────────────┘
                                 
    admin-test.php
   ❯❯❱ php.lang.security.exec-use.exec-use
          Executing non-constant commands. This can lead to command injection.
          Details: https://sg.run/5Q1j                                        
                                                                              
           71┆ exec( $cmd );

lcfr-eth

/*
# ./a
main pid: 78193
child: 78194
dropped to 33
attempt trace self - pid: 78194
ptrace: Operation not permitted
Failed to trace self. Errno: 1
*/

lcfr-eth

/*
Parent: 77345
child: 77346
dropped to : 33
trying to trace 77345
ptrace: Operation not permitted
failed tracing parent. Errno: 1
Parent: rip children
*/

lcfr-eth

/*
$ ./a
Parent: 76922
Child: 76923, trying to trace parent: 76922
ptrace: Operation not permitted
failed. Errno: 1
Parent: rip children
*/

lcfr-eth

from web3 import Web3, HTTPProvider
from eth_account import Account
from eth_account.signers.local import LocalAccount
from web3.middleware import construct_sign_and_send_raw_middleware
from web3.middleware import geth_poa_middleware
import os, time

infura_key = os.getenv("INFURA")

from_key = os.getenv("FROMKEY")