Skip to content

Instantly share code, notes, and snippets.

View lcfr-eth's full-sized avatar

lcfr lcfr-eth

62 followers · 113 following
View GitHub Profile
@N3mes1s
N3mes1s / handle-2.md
Created October 30, 2025 14:34
Comprehensive Analysis: Missing -2 Handle Validation Across GitHub Codebases

Comprehensive Analysis: Missing -2 Handle Validation Across GitHub Codebases

Based on my extensive search across GitHub, I've identified a critical security pattern where Windows codebases are NOT checking for pseudo-handle values (specifically -2 / GetCurrentThread()) before using DuplicateHandle().

The Vulnerability Pattern

The bug exists when code follows this unsafe pattern:

// VULNERABLE PATTERN - Missing pseudo-handle check
@rrrrrrri
rrrrrrri / fgt_7.4.x_rootfs_decrypt.py
Created March 15, 2024 01:26
fgt_7.4.x_rootfs_decrypt
import magic
import r2pipe
import hashlib
import argparse
import subprocess
from unicorn import *
from unicorn.x86_const import *
# from udbserver import * # uncomment this line if you want to debug
def pad_size(size):
@pagabuc
pagabuc / extract_offsets.py
Created August 18, 2022 02:07
Find kernel objects containing function pointers
# Written by pagabuc, run with the following:
# gdb --batch --nx -q -x extract_offsets.py ./vmlinux
# This script finds kernel objects that contain function pointers and with size between 1024 and 2048.
# Nested structure types are traversed recursively.
import gdb
import re
struct_regex = re.compile("(struct [a-zA-Z0-9_]*)")
@z0r0z
z0r0z / ClubSig.sol
Last active September 24, 2022 19:47
EIP-712-signed multi-signature contract with NFT identifiers for signers and ragequit
// SPDX-License-Identifier: GPL-3.0-or-later
pragma solidity >=0.8.4;
import "https://github.com/Rari-Capital/solmate/src/tokens/ERC721.sol";
import "https://github.com/kalidao/kali-contracts/blob/main/contracts/utils/NFThelper.sol";
/// @notice Minimal ERC-20 interface.
interface IERC20minimal {
function balanceOf(address account) external view returns (uint256);
@X-C3LL
X-C3LL / disable_functions_PoC.php
Last active December 12, 2024 02:35
<?php
/*
If open_basedir is misconfigured it is posible to read and write /proc/self/mem. This means that a PHP script can self-patch
itself to bypass disable_functions and call system() or other dangerous functions. This technique is old, indeed you can find
a PoC by Beched (https://github.com/beched/php_disable_functions_bypass) where the open@plt address is replaced by the system@plt
address (the info is extraced parsing the PHP and libc binary).
My approach is similar in the sense of taking the advantage of /usr/proc/mem, but to achieve the bypass I overwrite the handler
@jpillora
jpillora / sshd.go
Last active June 3, 2026 17:36
Go SSH server complete example - Read more here https://blog.gopheracademy.com/go-and-ssh/
// A small SSH daemon providing bash sessions
//
// Server:
// cd my/new/dir/
// #generate server keypair
// ssh-keygen -t rsa
// go get -v .
// go run sshd.go
//
// Client: